{ "id": "baee6282-1a60-40db-a087-a9820bb5378d", "created_at": "2026-04-06T00:21:42.747899Z", "updated_at": "2026-04-10T13:11:18.327184Z", "deleted_at": null, "sha1_hash": "7d14c02034bcec6f9877b790c51b3e850840eda1", "title": "Targeted Surveillance Attacks in Uzbekistan: An Old Threat with New Techniques", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1234970, "plain_text": "Targeted Surveillance Attacks in Uzbekistan: An Old Threat with\r\nNew Techniques\r\nPublished: 2020-03-12 · Archived: 2026-04-05 18:12:23 UTC\r\nIntroduction\r\nA new Amnesty International investigation has identified a campaign of phishing and spyware attacks targeting\r\nHuman Rights Defenders (HRDs) from Uzbekistan.\r\nIn May 2019, the Canadian non-profit organisation eQualitie released a report describing an attack campaign\r\nusing web and phishing attacks against journalists and activists working on Uzbekistan. Based on this report, we\r\nbegan tracking the group that was behind these attacks. We identified a broader infrastructure along with new\r\nWindows and Android spyware used by the attackers.\r\nDuring the investigation, we identified a partial list of targets that confirmed that activists and journalists were\r\ntargeted by this campaign. This report documents a worrying evolution in the surveillance threat facing HRDs in\r\nUzbekistan, which now appear more sophisticated than previously documented, and able to bypass some security\r\ntools HRDs use to protect themselves against surveillance.\r\nHuman Rights and Surveillance in Uzbekistan\r\nAmnesty International has documented serious human rights violations, including pervasive torture by security\r\nforces and arbitrary detention, in Uzbekistan. Impunity for past abuses continues to prevail despite recent reforms\r\nof the criminal justice system and the closure of detention centers notorious for torture. While more independent\r\nmedia outlets have now been able to operate inside Uzbekistan, the rights to freedom of expression, association\r\nand peaceful assembly continue to be tightly regulated, and civil society activists face reprisals for their peaceful\r\nactivities.\r\nThe threat of torture, its actual use and sexual violence, have forced many HRDs, government critics and\r\nindependent journalists to leave Uzbekistan. The few who remain in the country, including activists and journalists\r\nreleased from prison since 2017, and their families, have continued to be under surveillance and have faced\r\nintimidation, threats and arbitrary detention by the police and the State Security Service (SGB).\r\nThis physical surveillance and repression of Human Rights Defenders and journalists have been supported by a\r\nwell developed surveillance system. A Privacy International report from 2014 described the technical capabilities\r\ndeployed within the country to monitor internet and phone communications. An Amnesty International report from\r\n2017 titled, ‘We will find you, anywhere’ described the threat of surveillance for HRDs including several cases of\r\nemail hacking using phishing attacks. In 2018, Amnesty International published concerns about the detention and\r\ninterrogation of a number users of the social media platform Facebook in Uzbekistan, based on administrative\r\ncharges after they posted comments on their Facebook accounts or ‘liked’ and shared posts of other social media\r\nhttps://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/\r\nPage 1 of 14\n\nusers. More recently in October 2019, Kaspersky presented the cyber-attack framework of a group called Sandcat\r\nthat they attribute to the Uzbekistani State-Security Services during a conference.\r\nPhishing using Evolving Techniques\r\nWhat is phishing?\r\nCredentials phishing (or “Password-Stealing Phishing”) consists in the creation of a website that imitates the login\r\nprompt of a given online service, such as Gmail or Facebook, with the objective of luring a victim into visiting the\r\nmalicious page and entering their username and passwords, thereby transmitting these credentials to the attackers.\r\nBased on the threat report published by eQualitie, we have investigated and tracked the evolution of the fake\r\nwebsites and internet infrastructure used by these attackers.  The group was very active between May and\r\nSeptember 2019, when several dozens of domains were created.  Many of these domains mimicked Google\r\ndomains, such as acccountsgoog1e[.]com or auth-google[.]site, or generic email domains like auth-mail[.]email\r\n(Please note: the domains have been purposefully modified by Amnesty International with the marking [.] in order\r\nto prevent accidental clicks and visits). \r\nScreenshot of mail-auth[.]online (May 2019)\r\nOriginally the attackers used cloned pages of, for example, Google login prompts in order to lure targets and steal\r\ncredentials. This is the most traditional and typical phishing technique, but it is rather simplistic. From June 2019\r\nwe observed an evolution in the phishing tactics adopted. Our research reveals that the group started to use a new\r\nphishing framework that acts as a relay between the phishing site and the real affected website, in order to bypass\r\nmost forms of Two-Factor Authentication. In technical language, this technique is often referred to as “session\r\nhijacking” and the framework used as a “reverse proxy”.\r\nWhat is Two-Factor Authentication (2FA)?\r\nhttps://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/\r\nPage 2 of 14\n\nTwo-factor authentication (often called 2FA) is the utilization of a second mean of authentication beside a\r\npassword. Common second factors include a temporary code delivered by SMS, a temporary code given by a\r\nSmartphone Application (such as FreeOTP or Google Authenticator) and a code generated by a Hardware Security\r\nKey (like Yubikey or Solo Key).\r\nAttacks bypassing some forms of second factors are not new. We published a report in December 2018 warning\r\nHRDs about them in the context of a phishing campaign with targets in the Middle-East and North-Africa. Latest\r\nattacks by this group in Uzbekistan represent the first time Amnesty International observed session hijacking used\r\nin attacks against HRDs, but several open-source tools published in 2018 and 2019, such as Modlishka or\r\nMuraena, have already made this capability publicly available to the information security community. \r\nIn practice, a reverse proxy used for phishing will intercept all credentials and any two-factor authentication code\r\n(typically retrieved via SMS or an authenticator app) and deliver them to the legitimate service, such as; in this\r\ncase, Google. The service will verify the credentials and, if correct, successfully authorize the victims to their\r\naccounts. However, because the reverse proxy is monitoring the connection between the victim and the legitimate\r\nservice, the attackers are then able to steal any token generated to establish an authenticated session and reuse it to\r\naccess the compromised account.\r\nReverse-Proxy phishing attack done to bypass 2FA protection\r\nWith this technique attackers can bypass most forms of second factor authentication, except  Security Keys, such\r\nas Yubikeys or SoloKeys, because these hardware tokens programmatically enter a temporary code for a\r\npreregistered website only for the verified legitimate domain. If a target is equipped with a Security Key, the\r\nphishing attack will fail because the key will refuse to authenticate on the malicious domain the attackers lured the\r\ntarget to.\r\nhttps://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/\r\nPage 3 of 14\n\nTwo different hardware tokens : SoloKeys and Yubikeys\r\nWindows Spyware\r\nIn additional to the phishing attacks, in May 2019 we also identified two malicious Windows installers hosted on\r\nthe domain msoffice365[.]win, which appears linked to the previously described phishing campaign. Amnesty\r\nInternational identified an infected Adobe Flash Player installer and an infected Telegram Desktop installer, both\r\ndeploying variants of the same spyware along with the legitimate software.\r\nScreenshot of the installer of the Telegram Desktop installer modified to install the spyware\r\nOnce infected, the spyware toolkit used by the attackers will be capable of:\r\nLogging all key strokes;\r\nhttps://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/\r\nPage 4 of 14\n\nTaking screenshots of the desktop every few seconds;\r\nStealing password and cookies;\r\nAll the harvested data would then be sent to an attackers-operated server located at hpphhpph[.]com\r\nThe toolkit is composed of a variety of scripts seemingly developed by the attackers, and a Trojan software\r\nderived from a well-known tool known as Quasar Rat.\r\nAndroid Spyware\r\nDuring the investigation, we identified an Android spyware communicating with the domain garant-help[.]com, a\r\nCommand and Control server we found linked to this campaign. This sample is an extended version of Droid-Watcher, an open-source Android spyware that was discontinued by its main developer in 2016. This sample\r\nseems largely based on the original Droid-Watcher code with some additional features and updates.\r\nThis spyware has the following features:\r\nExtract device information (configuration, IMEI, phone number, history of Wi-Fi networks, etc.);\r\nMonitor chat applications, including VKontakte, WhatsApp, Viber, Facebook, IMO, TamTam, Telegram;\r\nMonitor phone calls and text messages;\r\nRecord phone calls;\r\nRecord audio and video from the embedded microphone and cameras;\r\nTake screenshots;\r\nMonitor the clipboard;\r\nMonitor the geographical location of the device;\r\nExtract the browser history;\r\nReceive commands by text messages.\r\nIdentification of Targets\r\nWhile investigating the attackers’ infrastructure, we identified an open directory on one of the servers used to host\r\nphishing websites. This directory publicly exposed a collection of email templates, most likely used by the\r\nattackers to design and deliver the phishing emails to the respective targets. Most of these files came pre-compiled\r\nwith the email addresses of targeted individuals.\r\nMost of these emails were disguised as email alerts from services such as Google or Mail.ru.\r\nhttps://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/\r\nPage 5 of 14\n\nhttps://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/\r\nPage 6 of 14\n\nFrom these exposed templates we identified 170 targeted accounts. Although we suspect them to represent only a\r\nsubset of the complete list of individuals targeted in this campaign. Most targets we identified are part of\r\nuniversities or governmental organisations of countries neighbouring Uzbekistan, along with several HRDs from\r\nUzbekistan, who Amnesty International took steps to contact, notify and support.\r\nConclusion\r\nThis report documents that targeted surveillance remains a threat to HRDs in Uzbekistan. The UN Special\r\nRapporteur on the right to Freedom of Expression, David Kaye, has called on states to impose an immediate\r\nmoratorium on the export, sale, transfer, use or servicing of privately developed surveillance tools until rigorous\r\nhuman rights safeguards are put in place to regulate such practices. Amnesty International supports this call. As\r\nthe Special Rapporteur has noted, “It is insufficient to say that a comprehensive system for control and use of\r\ntargeted surveillance technologies is broken. It hardly exists.”\r\nhttps://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/\r\nPage 7 of 14\n\nThis call is especially urgent in the context of Uzbekistan where the legal framework for secret surveillance\r\nprovides insufficient safeguards against abuse and where direct state access to data is facilitated by the SORM\r\nsystem (a system allowing state authorities to directly access communication and associated data). It is well-established that, “even the mere possibility of communications information being captured creates an interference\r\nwith privacy, with a potential chilling effect on rights, including those to free expression and association.” Where\r\n– as in Uzbekistan – states fail to put in place adequate safeguards, these chilling effects will lead to an\r\nenvironment in which HRDs cannot realize their rights and struggle to do their job effectively and in safety.\r\nIf you believe you have been targeted with attacks similar to the ones described here, or if you are a Human Rights\r\nDefender working on Uzbekistan and you think you may be targeted by a similar operation, please contact us at:\r\nRecommendations\r\nTo the Government of Uzbekistan:\r\nReform laws to bring the legal regime and related surveillance practices in line with international human\r\nrights law and standards\r\nTo Other Governments:\r\nImpose an immediate moratorium on the export, sale, transfer, use or servicing of privately developed\r\nsurveillance tools until a human rights compliant safeguards regime is in place\r\nTo Companies:\r\nPut in place robust safeguards to ensure that any use of their products or services is compliant with human\r\nrights standards.\r\nTo Users:\r\nAs we have been reporting since December 2018, techniques to bypass common forms of two-factor\r\nauthentication are becoming increasingly popular among attackers. Targeted individuals at risk should\r\nconsider equipping themselves with hardware Security Keys, also known as U2F keys, and enable them\r\nwherever possible. With online services, which do not support Security Keys yet, we nevertheless\r\nrecommend enabling any other less resilient form of two-factor authentication available. For example,\r\nsecondary verification using codes delivered via SMS or an authenticator app still provide better security\r\nthan none at all, and can help thwart casual phishing or password re-use.\r\nIf you want to read more about phishing and its countermeasures, please refer to Security Without Borders’ Guide\r\nto Phishing.\r\nAppendix : Technical Details on the Investigation\r\nhttps://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/\r\nPage 8 of 14\n\nPhishing Using Reverse Proxies\r\nThis group is largely relying on phishing attacks: we have identified 71 domains hosting phishing websites\r\nbetween May and September 2019.\r\nOriginally, this group used HTML copies of login pages for phishing. In June 2019, we observed the utilisation of\r\na new tool that acted as a reverse proxy between the domains and the actual platforms in order to hijack sessions.\r\nWe believe that the attackers relied on a custom-made JavaScript phishing tool.\r\nOne proof that these phishing domains were using reverse proxy technique is that we could fully interact with the\r\nGoogle platform through the fake domain. For instance we could use the query “what is my IP?” to get the IP\r\naddress of the reverse proxy server from the Google search engine:\r\nAt the same time we saw this change in the phishing toolkit, we started to see more and more domains mimicking\r\nand proxying traffic to bank and cryptocurrency websites. The phishing domains and websites observed by\r\neQualit.ie since 2016 and by us from May 2019 almost only copied large email providers (mostly Gmail, but also\r\nYandex or Yahoo). From May 2019 to July 2019, we started to see the attackers register and use domains imitating\r\nbank and cryptocurrency websites. We could attribute these domains to the same attacker network because they\r\nwere hosted on the same servers that hosted other phishing domains. For instance the OVH server 51.83.97[.]40\r\nhosted at the same time fake gmail domains like gmail-warning[.]top and fake bank domains like\r\nmynavyfedral[.]org in July 2019. This suggests that the attackers might also be involved in online economic\r\ncrime.\r\nhttps://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/\r\nPage 9 of 14\n\nPhishing website for FrostBank on frosdank[.]com (July 2019)\r\nHere is the list of such domains registered between May and July 2019:\r\nRegistration Date Malicious Domain Proxying Traffic or Mimicking\r\n2019-05-02 navyfedera1[.]org https://www.navyfederal.org/\r\n2019-05-20 frostdank[.]com https://www.frostbank.com/\r\n2019-05-27 comericac[.]com https://www.comerica.com/\r\n2019-07-03 lamatrest[.]xyz https://www.bmo.com\r\n2019-07-16 mynavyfedral[.]org https//www.navyfederal.org/\r\n2019-07-17 desktest5[.]xyz https://www.scotiabank.com/\r\n2019-07-19 testdhome4[.]xyz https://www.blockchain.com/\r\n2019-07-29 xn--blckchain-17c[.]com https://www.blockchain.com/\r\n2019-08-07 xn--navyfderal-36a[.]com https://www.navyfederal.org/\r\n2019-08-07 xn--navyfedera-j0b[.]org https://www.navyfederal.org/\r\n2019-08-07 xn--bckchain-v3a30f[.]com https://www.blockchain.com/\r\n2019-08-15 xn--avfedera-yubm[.]org https://www.navyfederal.org/\r\n2018-09-22 rc-room[.]com https://www.coinbase.com/\r\nUnknown nitroqensports[.]eu https://nitrogensports.eu/\r\nWindows Malware\r\nhttps://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/\r\nPage 10 of 14\n\nIn May 2019, we identified two backdoored Windows installers hosted on the domain msoffice365[.]win, one\r\nAdobe Flash Player installer and one Telegram Desktop installer, both installing variants of the same malicious\r\ntoolkit along with the legitimate software.\r\nBoth of these malicious samples rely on a set of vbs scripts and DLL to gather information on the system and send\r\nit to the domain hpphhpph[.]com\r\nThe Fake Adobe Flash Player installs the following files :\r\nIn C:\\Program Files (x86)\\Adobe Company\\Adobe Flash Player\r\nAdobe Flash Player Updater.vbs\r\nflashplayer31pp_ka_install.exe  (Legitimate Flash Player installer)\r\nUninstall.exe (Legitimate Uninstaller)\r\nUninstall.ini (Legitimate Uninstaller info file)\r\nIn C:\\Users\\User\\AppData\\Roaming\\Microsoft\\Adobe Flash Player\r\nAdobe Flash Player.dll\r\nAdobe Flash Player Key.vbs\r\nDuring the installation, the malicious script Adobe Flash Player Updater.vbs is launched along with the legitimate\r\ninstaller flashplayer31pp_ka_install.exe. Adobe Flash Player Updater.vbs is a VBS script in charge of registering a\r\nnew compromised device to the Command \u0026 Control server, gather information on the host (information on the\r\ndevice, list of applications, logs of Telegram chats, Firefox, The Bat email client and Total Commander FTP\r\ncredentials, Chrome, Firefox and Opera history) and schedule tasks to have Adobe Flash Player Updater.vbs  and\r\nAdobe Flash Player Key.vbs launched every minutes.\r\nAdobe Flash Player Key.vbs is VBS script that launches Adobe Flash Player.dll, a tool that takes a screenshot of\r\nthe screen every seconds and run a KeyLogger, and then send the images and keystrokes taken to the C\u0026C server.\r\nhttps://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/\r\nPage 11 of 14\n\nThe Telegram Installer relies on variant of the same scripts with a few additional tools :\r\nGoogleUpdateTaskMachineKernel.vbs : a script to download additional modules from the C\u0026C server and\r\nrun them through scheduled tasks\r\nEsetNod32_v3.5.dll and EsetNod32_v4.dll which are more advanced password and cookie stealers reusing\r\ncode taken from the Quasar-RAT , an open source Windows malware.\r\nhttps://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/\r\nPage 12 of 14\n\nThis patchwork of different tools combined with easy to update VBS scripts allow to heavily monitor the activity\r\nof a compromised computer by sending every minute, any key stroke done, screenshot, new password and\r\nbrowsing history, thus providing a complete view of the user activity.\r\nAndroid Malware\r\nDuring our enumeration of the infrastructure, we identified an Android spyware communicating with one of the\r\ndomains of this operation ( garant-help[.]com) as Command and Control server. This sample is an improved\r\nversion of Droid-Watcher, an open-source Android malware that was discontinued by its main developer in 2016.\r\nOne update from Droid-Watcher is that this malware retrieves the location of the Command and Control server to\r\ncommunicate with, from an encoded string included in the description of a Twitter account registered at\r\n@Worldwi81061401 (we have notified Twitter about this account, which was later suspended):\r\nhttps://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/\r\nPage 13 of 14\n\nScreenshot of the Twitter profile @Worldwi81061401 (July 2019, suspended now)\r\nThe encoded string in the profile description (LPLO8Z42NVS.Q3F) once decoded gives the domain garant-help[.]com.\r\nIndicators of Compromise\r\nWe are releasing here indicators of compromise for this campaign. If you think you have been targeted by this\r\ncampaign, or if you have some information on this operation, please contact us at\r\nYou can find a full list of indicators of compromise on this github repository :\r\nhttps://github.com/AmnestyTech/investigations/tree/master/2020-03-12_uzbekistan\r\nSource: https://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/\r\nhttps://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/" ], "report_names": [ "targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "80cf66b8-27d2-4e87-b0d1-5bacacd9bb3d", "created_at": "2023-01-06T13:46:38.931567Z", "updated_at": "2026-04-10T02:00:03.149736Z", "deleted_at": null, "main_name": "SandCat", "aliases": [], "source_name": "MISPGALAXY:SandCat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "67ac502c-8cf8-46cb-98e8-c249e0f0298d", "created_at": "2022-10-25T16:07:24.149987Z", "updated_at": "2026-04-10T02:00:04.882099Z", "deleted_at": null, "main_name": "SandCat", "aliases": [], "source_name": "ETDA:SandCat", "tools": [ "CHAINSHOT", "FinFisher", "FinFisher RAT", "FinSpy" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434902, "ts_updated_at": 1775826678, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7d14c02034bcec6f9877b790c51b3e850840eda1.pdf", "text": "https://archive.orkl.eu/7d14c02034bcec6f9877b790c51b3e850840eda1.txt", "img": "https://archive.orkl.eu/7d14c02034bcec6f9877b790c51b3e850840eda1.jpg" } }