{ "id": "af18926e-3049-49b8-b06a-24ac871a671d", "created_at": "2026-04-06T00:20:05.38634Z", "updated_at": "2026-04-10T03:27:57.401617Z", "deleted_at": null, "sha1_hash": "7f519e2a025f4878ee2a1db34e53c78c2cb84698", "title": "Arctic Wolf Labs Observes Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN - Arctic Wolf", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 171064, "plain_text": "Arctic Wolf Labs Observes Increased Fog and Akira Ransomware\r\nActivity Linked to SonicWall SSL VPN - Arctic Wolf\r\nBy Steven Campbell, Akshay Suthar, and Stefan Hostetler\r\nPublished: 2024-10-24 · Archived: 2026-04-05 15:05:43 UTC\r\nKey Takeaways\r\nArctic Wolf has observed an influx of at least 30 Akira and Fog intrusions across a variety of industries\r\nsince early August, each involving SonicWall SSL VPN early in the cyber kill chain.\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/\r\nPage 1 of 10\n\nMalicious VPN logins originated from IP addresses associated with VPS hosting, providing defenders with\r\na viable mechanism for early detection and prevention.\r\nNone of the affected SonicWall devices were patched against CVE-2024-40766, which SonicWall indicates\r\nis potentially under active exploitation.\r\nShared IP infrastructure was seen across several Akira and Fog intrusions.\r\nA short interval between initial SSL VPN account access and ransomware encryption was observed, often\r\nwithin the same day.\r\nSummary\r\nIn early August, Arctic Wolf Labs began observing a marked increase in Fog and Akira ransomware intrusions\r\nwhere initial access to victim environments involved the use of SonicWall SSL VPN accounts. Based on\r\nvictimology data showing a variety of targeted industries and organization sizes, we assess that the intrusions are\r\nlikely opportunistic, and the threat actors are not targeting a specific set of industries.\r\nOn September 6, 2024, SonicWall indicated that CVE-2024-40766 was potentially under active exploitation.\r\nWhile we do not have definitive evidence of this vulnerability being exploited in the intrusions we investigated,\r\nall SonicWall devices involved were running firmware versions affected by it. Although credential-based attacks\r\ncan’t be ruled out in some intrusions, the trend of increased threat activity against SonicWall devices highlights\r\nthe necessity of maintaining firmware updates and implementing external log monitoring.\r\nWe are sharing details of the observed ransomware activity to help organizations defend themselves effectively\r\nagainst these threats. Please note that we may add further details to this blog article as we uncover additional\r\ninformation, as our investigation into these activities is still ongoing.\r\nWhat we Know About the Intrusions\r\nPrior to the month of August 2024, Fog and Akira ransomware intrusions investigated by Arctic Wolf Incident\r\nResponse involved a variety of firewall brands. However, new caseload since early August shows a skew towards\r\nSonicWall in new intrusions where Akira and Fog ransomware encryptor payloads were deployed, spanning\r\nacross 30 new ransomware intrusions between the start of August until the time of this writing (mid-October\r\n2024). Akira ransomware was deployed in approximately 75% of these intrusions and Fog ransomware was\r\ndeployed in the remaining 25%. The duration between initial SSL VPN access to acting on ransom/encryption\r\nobjectives was as short as 1.5 to 2 hours in some intrusions, while in other intrusions the interval was closer to 10\r\nhours.\r\nInitial Access\r\nIn the firewall logs reviewed by Arctic Wolf Labs, there was no definitive evidence confirming exploitation of any\r\nknown remote code execution vulnerabilities. On the other hand, none of the SonicWall devices in the reviewed\r\nintrusions were shown to be running new enough firmware versions to prevent exploitation of CVE-2024-40766.\r\nAdditionally, in intrusions where firewall telemetry was available, malicious SonicWall SSL VPN login events\r\nwere observed that originated from VPS (Virtual Private Server) hosting providers.\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/\r\nPage 2 of 10\n\nIn almost all intrusions, connections to the VPNs originated from hosting-related ASNs. In two separate sets of\r\nintrusions, we observed Akira ransomware affiliates logging in to the victims’ SonicWall VPNs using the same\r\nVPS IP addresses as identified in separate Fog intrusions (AS64236 – UnReal Servers, LLC and AS32613 –\r\nLeaseweb Canada Inc.).\r\nSimilar to our findings on September 6, 2024, compromised SSL VPN accounts were local to the SonicWall\r\ndevices themselves and were not integrated with a centralized authentication solution such as Microsoft Active\r\nDirectory. Arctic Wolf Labs was not able to confirm any instances where multi-factor authentication (MFA) was\r\nenabled among compromised accounts.\r\nIn several instances, victim organizations’ SSL VPN services were running on the default port of 4433. In\r\nintrusions where firewall logs were captured, message event ID 238 (WAN zone remote user login allowed) or\r\nmessage event ID 1080 (SSL VPN zone remote user login allowed) were observed. Following one of these\r\nmessages, there were several SSL VPN INFO log messages (event ID 1079) indicating that login and IP\r\nassignment had completed successfully. Threat actors commonly sought to delete firewall logs upon gaining\r\naccess to compromised environments.\r\nid=firewall sn=REDACTED time=REDACTED fw=REDACTED pri=6 c=0 m=1080 msg=\"SSL VPN zone remote user logi\r\nid=firewall sn=REDACTED time=REDACTED fw=REDACTED pri=6 c=0 m=1079 msg=\"User REDACTED login\" sess=\"ss\r\nid=firewall sn=REDACTED time=REDACTED fw=REDACTED pri=6 c=0 m=1079 msg=\"Client REDACTED is assigned I\r\nEncryption\r\nAs previously observed with Fog, there was rapid encryption in the intrusions. In some intrusions, the duration\r\nbetween initial access to data encryption took place over several hours. Threat actors demonstrated focus on\r\nstorage of virtual machines and their backups.\r\nData Exfiltration\r\nBased on command line activities observed during exfiltration, we can begin to see what data these ransomware\r\naffiliates were most interested in. General folders containing applications, staff documents, or generic files were\r\nonly exfiltrated up to six months’ worth of data. Whereas, folders containing potentially more sensitive\r\ninformation, such as documents from human resources or accounts payable departments had up to 30 months\r\nworth of data exfiltrated.\r\nConclusion\r\nBased on intrusions investigated by Arctic Wolf since early August, a significant amount of activity was observed\r\ninvolving Fog and Akira ransomware in environments using the SonicWall SSL VPN service. Visibility gaps\r\nhampered analysis of firewall logs across a subset of intrusions, while others suggested that existing accounts had\r\nbeen compromised.\r\nWe do not have definitive evidence that the threat actors exploited remote code execution vulnerabilities such as\r\nCVE-2024-40766 to compromise SonicWall appliances. In some instances, VPN credentials may have been\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/\r\nPage 3 of 10\n\nobtained through another means, such as data breaches, for example. Nonetheless, as we’ve indicated previously\r\nin our September security bulletin, our findings suggest that defenders should prioritize remediation of this\r\nvulnerability to rule out potential exploitation.\r\nThere have been several notable developments in the threat landscape since our initial Fog ransomware\r\npublication in June 2024. The Fog affiliates we have visibility into are now exfiltrating data, as is common\r\npractice in most ransomware intrusions. Additionally, victimology of intrusions involving Fog ransomware have\r\ndiverged from the education sector, indicating a more opportunistic approach than previously observed.\r\nBoth Akira and Fog affiliates have shown an interest in compromising SSL VPN accounts on SonicWall\r\nappliances, rapid encryption of VM storage data, and exfiltration of sensitive data to increase the likelihood of a\r\nransom payment. Across the latest influx of intrusions we examined, a short duration was observed between initial\r\naccess and action on objectives, leaving minimal time for defenders to thwart their activities.\r\nTo effectively protect against these and other emerging ransomware threats, defenders should prioritize keeping\r\nfirmware up to date on perimeter network appliances, monitoring for VPN logins from hosting providers that are\r\nnot expected in their environments, ensuring that secure off-site backups are in place, and monitoring for common\r\npost-compromise activities across endpoints.\r\nHow Arctic Wolf Protects its Customers\r\nArctic Wolf is committed to ending cyber risk for its customers, and when active ransomware campaigns are\r\nidentified we move quickly to protect our customers.\r\nArctic Wolf Labs has leveraged threat intelligence around Akira and Fog ransomware activity to implement new\r\ndetections in the Arctic Wolf Platform to protect Managed Detection and Response (MDR) customers. As we\r\ndiscover new information, we will enhance our detections to account for additional indicators of compromise and\r\ntechniques leveraged by these threat actors.\r\nAppendix\r\nTactics, Techniques, and Procedures (TTPs)\r\nTactic Technique Sub-techniques or Tools\r\nInitial Access\r\nT1133: External Remote\r\nServices\r\nT1078: Valid Accounts\r\n• Compromised VPN Credentials\r\n• T1078.002: Domain accounts\r\nDiscovery\r\nT1046: Network Service\r\nDiscovery\r\n• SoftPerfect Network Scanner\r\n• Advanced Port Scanner\r\nT1482: Domain Trust\r\nDiscovery\r\n• NLTest\r\n• AdFind\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/\r\nPage 4 of 10\n\nLateral\r\nMovement\r\nT1021: Remote Services\r\n• T1021.001: Remote Desktop Protocol\r\n• T1021.002: SMB/Windows Admin Shares\r\nT1570: Lateral Tool\r\nTransfer\r\n• PsExec\r\nCredential\r\nAccess\r\nT1555: Credentials from\r\nPassword Stores\r\n• PowerShell script (Veeam-Get-Creds.ps1) to obtain\r\npasswords from the Veeam Backup and Replication\r\nCredentials Manager\r\nT1003: OS Credential\r\nDumping\r\n• Mimikatz\r\n• Secretsdump.py\r\n• DPAPI Domain Backup Key Extraction\r\nExecution\r\nT1059: Command and\r\nScripting Interpreter\r\n• T1059.003: Windows Command Shell\r\nCommand and\r\nControl\r\nT1219: Remote Access\r\nSoftware\r\n• AnyDesk\r\n• Putty\r\n• MobaXterm\r\nCollection\r\nT1560: Archive\r\nCollected Data\r\n• T1560.001: Archive via Utility\r\n• 7-Zip\r\n• WinRAR\r\nExfiltration\r\nT1567: Exfiltration Over\r\nWeb Service\r\n• T1567.002: Exfiltration to Cloud Storage\r\n• Rclone\r\nT1048: Exfiltration Over\r\nAlternative Protocol\r\n• T1048.003: Exfiltration Over Unencrypted Non-C2\r\nProtocol\r\n• WinSCP\r\n• FileZilla\r\nImpact\r\nT1486: Data Encrypted\r\nfor Impact\r\n• Akira Payload\r\n• Fog Payload\r\nT1490: Inhibit System\r\nRecovery\r\n• vssadmin.exe used to delete volume shadow copies on the\r\nsystem.\r\nTools\r\nName Description\r\nPsExec\r\nA tool that allows threat actors to execute processes on other systems with full\r\ninteractivity for console applications. The threat actors leveraged PsExec to move\r\nlaterally and execute commands.\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/\r\nPage 5 of 10\n\nAdvanced IP\r\nScanner\r\nFree network scanner. The threat actors used Advanced IP Scanner to discover network\r\ndevices.\r\nAdvanced Port\r\nScanner\r\nFree port scanner. The threat actors used Advanced Port Scanner to discover network\r\nservices.\r\nSoftPerfect\r\nNetwork Scanner\r\nNetwork administration tool for Windows, macOS, and Linux. The threat actors used\r\nSoftPerfect to discover network services.\r\nAnyDesk Remote desktop application. Threat actors used it for remote access\r\nMobaXterm Remote access toolset, that includes a Windows SSH client. Used for persistence.\r\nWinRAR File archiver utility. Threat actors used it to create archive files for exfiltration.\r\nMimikatz\r\nOpen-source tool that can be used to gain access to hashes, passwords, and Kerberos\r\ntickets. Used for credential access.\r\nRclone\r\nCommand line program used to sync files and directories to cloud storage providers.\r\nThe threat actors used Rclone to exfiltrate data.\r\nVeeam-Get-Creds.ps1An open-source PowerShell script used by the threat actors to obtain passwords from\r\nthe Veeam Backup and Replication Credentials Manager.\r\nIndicators of Compromise (IoCs)\r\nIndicator Type Description\r\n.fog\r\nFile\r\nExtension\r\nFog ransomware extension\r\n.flocked\r\nFile\r\nExtension\r\nFog ransomware extension\r\n.akira\r\nFile\r\nExtension\r\nAkira ransomware extension\r\n7z2407-x64.exe File Name 7-zip\r\nAIPScanner.exe File Name Advanced IP Scanner\r\nnetscan_n.exe File Name SoftPerfect Network Scanner\r\nadfind.exe File Name AdFind\r\nsys.exe File Name Renamed rclone\r\nreadme.txt File Name Fog ransom note\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/\r\nPage 6 of 10\n\nmimikatz.exe File Name Mimikatz\r\n1.bat File Name Potential ransomware deployment script\r\nakira_readme.txt File Name Akira ransom note\r\nesxi6 File Name Akira ESXI ransomware binary\r\n.loc File Name Fog ESXI ransomware binary\r\nkali Hostname Threat Actor hostname\r\nWORKSTATION Hostname Threat Actor hostname\r\n77.247.126[.]158\r\nIPv4\r\nAddress\r\nTA connection to VPN\r\n208.115.232[.]194\r\nIPv4\r\nAddress\r\nTA connection to VPN\r\n184.107.5[.]46\r\nIPv4\r\nAddress\r\nTA connection to VPN\r\n66.181.33[.]32\r\nIPv4\r\nAddress\r\nTA connection to VPN\r\n185.235.137[.]150\r\nIPv4\r\nAddress\r\nTA connection to VPN\r\n45.11.59[.]16\r\nIPv4\r\nAddress\r\nTA connection to VPN\r\n79.141.173[.]238\r\nIPv4\r\nAddress\r\nAnyDesk connection IP\r\n57.128.101[.]78\r\nIPv4\r\nAddress\r\nAnyDesk C2 IP\r\n194.33.45[.]167\r\nIPv4\r\nAddress\r\nExfiltration IP\r\n23.227.162[.]18\r\nIPv4\r\nAddress\r\nExfiltration IP\r\n45.86.208[.]146\r\nIPv4\r\nAddress\r\nFileZilla Exfiltration IP\r\n3477a173e2c1005a81d042802ab0f22cc12a4d55 SHA-1 Advanced Port Scanner\r\n86233a285363c2a6863bf642deab7e20f062b8eb SHA-1 Advanced IP Scanner\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/\r\nPage 7 of 10\n\nce4758849b53af582d2d8a1bc0db20683e139fcc SHA-1 Advanced IP Scanner\r\n67396e1aacacb6efbca51f4c03d2017af78c9842 SHA-1 Angry IP Scanner\r\n806a232379ad0af437d4bc5b87fb42065dbf82d4 SHA-1 SoftPerfect Network Scanner\r\ne6b34a589e61b155ab70f11f8f7393316c9a3189 SHA-1 SoftPerfect Network Scanner\r\n1d345799307c9436698245e7383914b3a187f1ec SHA-1 Rclone\r\nce8de59e2277e9003f3a9c96260ce099ca7cda6c SHA-1 WinRAR\r\n15035d9f218a4629a8449829eba85b40806f4f59 SHA-1 WinRAR\r\n7931b85054c29be4cc3c9250a5dc4a821a44604 SHA-1 WinRAR\r\nc26cfb9f9910fe585630940a777022702257548d SHA-1 WinRAR\r\n8ea2bf726044e98479076d0e64327f7ae7a6e5f2 SHA-1 FileZilla\r\n99ed6135defff6e675d626f742389d6280abdb60 SHA-1 FileZilla\r\nc1f271e5ced7a5badf62042ab882584e45aeab37 SHA-1 WinSCP\r\n8e81daa8c88a1e40c60332917c4ad5fa57acbb23 SHA-1 PuTTY\r\n75d7d147f66004c7131ad0d0fa5603451be45ba SHA-1 OpenSSH\r\nf5ca50ee8bc9d01760c7d0d4fc0c814cbbf26bc9 SHA-1 MobaXterm – SSH tool\r\n03f193a9385cf8fe2429e14aab4862b1627ff9d5 SHA-1 MobaXterm – SSH tool\r\n57aed4cf2972b51e0a7d37e9ca0c4b1b6985e1f1 SHA-1 MobaXterm – SSH tool\r\n2aab7f60262db7589d83fd7d13c968a6b93f75b9 SHA-1 MobaXterm – SSH tool\r\ne7fb4bf69be5ac4583c0c02e26a17bd3cdef4c02 SHA-1 AnyDesk\r\n6ae600ccff0741ce420bbd372c931b951094121f SHA-1 AnyDesk\r\nc144446dc23c86c7c9b26ce87c3176866372f6d1 SHA-1 AnyDesk\r\n363068731e87bcee19ad5cb802e14f9248465d3 SHA-1 AV/EDR killer\r\nAS29802 AS Number\r\nHivelocity Inc. – Used for SSL VPN\r\nlogin\r\nAS43641 AS Number\r\nSollutium Eu Sp Z.O.O. – Used for SSL\r\nVPN login\r\nAS58061 AS Number Scalaxy B.V. – Used for SSL VPN login\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/\r\nPage 8 of 10\n\nAS59711 AS Number\r\nHz Hosting Ltd – Used for SSL VPN\r\nlogin\r\nAS62240 AS Number\r\nClouvider Limited – Used for SSL VPN\r\nlogin\r\nAS202015 AS Number\r\nHz Hosting Ltd – Used for SSL VPN\r\nlogin\r\nAS395092 AS Number\r\nShock Hosting Llc – Used for SSL VPN\r\nlogin\r\nAS64236 AS Number\r\nUnReal Servers, LLC – Used for SSL\r\nVPN login\r\nAS32613 AS Number\r\nLeaseweb Canada Inc. – Used for SSL\r\nVPN login\r\nDetection Opportunities\r\nAs part of our Managed Detection and Response service, Arctic Wolf has detections in place for techniques\r\ndescribed in this blog article, in addition to other techniques employed by ransomware threat actors.\r\nNetwork\r\nDuring our investigations, we observed threat actors logging into SonicWall SSL VPN accounts via a handful of\r\nhosting-related ASNs. In situations where organizations don’t have a valid business reason to allow logins from\r\nthese specific ASNs, login attempts can be blocked outright, or otherwise used for detection purposes. IP\r\nclassification services may provide avenues for blocking logins from hosting-related ASNs altogether, although\r\nsome exceptions may be needed depending on the use of legitimate services such as SASE providers.\r\nEndpoint\r\nThe Veeam-Get-Creds.ps1 PowerShell script includes the following strings:\r\n[System.Security.Cryptography.ProtectedData]::Unprotect\r\n[System.Security.Cryptography.DataProtectionScope]::LocalMachine\r\nSqlDatabaseName\r\nDetecting occurrences of all 3 strings in PowerShell script block logging may be able to identify usage of this tool.\r\nAdditional Resources\r\nGet actionable insights and access to the security operations expertise of one of the largest security operations\r\ncenters (SOCs) in the world in Arctic Wolf’s 2024 Security Operations Report.\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/\r\nPage 9 of 10\n\nLearn what’s new, what’s changed, and what’s ahead for the cybersecurity landscape, with insights from 1,000\r\nglobal IT and security leaders in the Arctic Wolf State of Cybersecurity: 2024 Trends Report.\r\nAbout Arctic Wolf Labs\r\nArctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who\r\nexplore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and\r\nrefine advanced threat detection models with artificial intelligence, including machine learning, and drive\r\ncontinuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings. With their\r\ndeep domain knowledge, Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s\r\ncustomer base, but the security community at large.\r\nAuthors\r\nSteven Campbell\r\nSteven Campbell is a Lead Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of\r\nexperience in intelligence analysis and security research. He has a strong background in infrastructure analysis and\r\nadversary tradecraft.\r\nAkshay Suthar\r\nAkshay Suthar is a Lead Threat Intelligence Researcher at Arctic Wolf Labs focused on researching adversary\r\ntradecraft and malware analysis. He has more than seven years of experience in a multitude of domains including\r\nthreat intelligence research, detection engineering, and intrusion analysis.\r\nStefan Hostetler\r\nStefan is a Lead Threat Intelligence Researcher at Arctic Wolf. With over a decade of industry experience under\r\nhis belt, he focuses on extracting actionable insight from novel threats to help organizations protect themselves\r\neffectively.\r\nSource: https://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-v\r\npn/\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/" ], "report_names": [ "arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn" ], "threat_actors": [ { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434805, "ts_updated_at": 1775791677, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7f519e2a025f4878ee2a1db34e53c78c2cb84698.pdf", "text": "https://archive.orkl.eu/7f519e2a025f4878ee2a1db34e53c78c2cb84698.txt", "img": "https://archive.orkl.eu/7f519e2a025f4878ee2a1db34e53c78c2cb84698.jpg" } }