{ "id": "dc4cb3b8-77b8-4a3c-9575-0fe0a00e2e74", "created_at": "2026-04-06T00:10:11.897651Z", "updated_at": "2026-04-10T03:36:33.582485Z", "deleted_at": null, "sha1_hash": "888683c08cb1d4c54ac79903fb3c861d86e4899c", "title": "Operation Triangulation: iOS devices targeted with previously unknown malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 394504, "plain_text": "Operation Triangulation: iOS devices targeted with previously\r\nunknown malware\r\nBy Igor Kuznetsov\r\nPublished: 2023-06-01 · Archived: 2026-04-02 10:54:06 UTC\r\nAPT reports\r\nAPT reports\r\n01 Jun 2023\r\n 5 minute read\r\nhttps://securelist.com/operation-triangulation/109842/\r\nPage 1 of 9\n\nUPD 23.04.2025: MITRE created a page for Operation Triangulation as part of its ATT\u0026CK framework.\r\nWhile monitoring the network traffic of our own corporate Wi-Fi network dedicated for mobile devices using the\r\nKaspersky Unified Monitoring and Analysis Platform (KUMA), we noticed suspicious activity that originated\r\nfrom several iOS-based phones. Since it is impossible to inspect modern iOS devices from the inside, we created\r\noffline backups of the devices in question, inspected them using the Mobile Verification Toolkit’s mvt-ios and\r\ndiscovered traces of compromise.\r\nWe are calling this campaign “Operation Triangulation”, and all the related information we have on it will be\r\ncollected on the Operation Triangulation page. If you have any additional details to share, please contact us:\r\ntriangulation[at]kaspersky.com.\r\nWhat we know so far\r\nMobile device backups contain a partial copy of the filesystem, including some of the user data and service\r\ndatabases. The timestamps of the files, folders and the database records allow to roughly reconstruct the events\r\nhappening to the device. The mvt-ios utility produces a sorted timeline of events into a file called “timeline.csv”,\r\nsimilar to a super-timeline used by conventional digital forensic tools.\r\nUsing this timeline, we were able to identify specific artifacts that indicate the compromise. This allowed to move\r\nthe research forward, and to reconstruct the general infection sequence:\r\nThe target iOS device receives a message via the iMessage service, with an attachment containing an\r\nexploit.\r\nWithout any user interaction, the message triggers a vulnerability that leads to code execution.\r\nThe code within the exploit downloads several subsequent stages from the C\u0026C server, that include\r\nadditional exploits for privilege escalation.\r\nAfter successful exploitation, a final payload is downloaded from the C\u0026C server, that is a fully-featured\r\nAPT platform.\r\nThe initial message and the exploit in the attachment is deleted\r\nhttps://securelist.com/operation-triangulation/109842/\r\nPage 2 of 9\n\nThe malicious toolset does not support persistence, most likely due to the limitations of the OS. The timelines of\r\nmultiple devices indicate that they may be reinfected after rebooting. The oldest traces of infection that we\r\ndiscovered happened in 2019. As of the time of writing in June 2023, the attack is ongoing, and the most recent\r\nversion of the devices successfully targeted is iOS 15.7.\r\nThe analysis of the final payload is not finished yet. The code is run with root privileges, implements a set of\r\ncommands for collecting system and user information, and can run arbitrary code downloaded as plugin modules\r\nfrom the C\u0026C server.\r\nForensic methodology\r\nIt is important to note, that, although the malware includes portions of code dedicated specifically to clear the\r\ntraces of compromise, it is possible to reliably identify if the device was compromised. Furthermore, if a new\r\ndevice was set up by migrating user data from an older device, the iTunes backup of that device will contain the\r\ntraces of compromise that happened to both devices, with correct timestamps.\r\nPreparation\r\nAll potential target devices must be backed up, either using iTunes, or an open-source utility idevicebackup2\r\n(from the package libimobiledevice). The latter is shipped as a pre-built package with the most popular Linux\r\ndistributions, or can be built from the source code for MacOS/Linux.\r\nTo create a backup with idevicebackup2, run the following command:\r\nidevicebackup2 backup --full $backup_directory\r\nYou may need to enter the security code of the device several times, and the process may take several hours,\r\ndepending on the amount of user data stored in it.\r\nInstall MVT\r\nOnce the backup is ready, it has to be processed by the Mobile Verification Toolkit. If Python 3 is installed in the\r\nsystem, run the following command:\r\npip install mvt\r\nA more comprehensive installation manual is available the MVT homepage.\r\nOptional: decrypt the backup\r\nIf the owner of the device has set up encryption for the backup previously, the backup copy will be encrypted. In\r\nthat case, the backup copy has to be decrypted before running the checks:\r\nmvt-ios decrypt-backup -d $decrypted_backup_directory $backup_directory\r\nParse the backup using MVT\r\nmvt-ios check-backup -o $mvt_output_directory $decrypted_backup_directory\r\nThis command will run all the checks by MVT, and the output directory will contain several JSON and CSV files.\r\nFor the methodology described in this blogpost, you will need the file called timeline.csv.\r\nhttps://securelist.com/operation-triangulation/109842/\r\nPage 3 of 9\n\nCheck timeline.csv for indicators\r\n1. 1 The single most reliable indicator that we discovered is the presence of data usage lines mentioning the\r\nprocess named “BackupAgent”. This is a deprecated binary that should not appear in the timeline during\r\nregular usage of the device. However, it is important to note that there is also a binary named\r\n“BackupAgent2”, and that is not an indicator of compromise. In many cases, BackupAgent is preceded by\r\nthe process “IMTransferAgent”, that downloads the attachment that happens to be an exploit, and this leads\r\nto modification of the timestamps of multiple directories in the “Library/SMS/Attachments”. The\r\nattachment is then deleted, leaving only modified directories, without actual files inside them:\r\n2022-09-13 10:04:11.890351Z Datausage IMTransferAgent/com.apple.datausage.messages (Bundle ID:\r\ncom.apple.datausage.messages, ID: 127) WIFI IN: 0.0, WIFI OUT: 0.0 - WWAN IN: 76281896.0, WWAN\r\nOUT: 100956502.0\r\n2022-09-13 10:04:54.000000Z Manifest Library/SMS/Attachments/65/05 - MediaDomain\r\n2022-09-13 10:05:14.744570Z Datausage BackupAgent (Bundle ID: , ID: 710) WIFI IN: 0.0, WIFI\r\nOUT: 0.0 - WWAN IN: 734459.0, WWAN OUT: 287912.0\r\n2. 2 There are also less reliable indicators, that may be treated as IOCs if several of them happened within a\r\ntimeframe of minutes:\r\nModification of one or several files: com.apple.ImageIO.plist,\r\ncom.apple.locationd.StatusBarIconManager.plist, com.apple.imservice.ids.FaceTime.plist\r\nData usage information of the services com.apple.WebKit.WebContent,\r\npowerd/com.apple.datausage.diagnostics, lockdownd/com.apple.datausage.security\r\nExample:\r\n2021-10-30 16:35:24.923368Z Datausage IMTransferAgent/com.apple.MobileSMS (Bundle ID:\r\ncom.apple.MobileSMS, ID: 945) WIFI IN: 0.0, WIFI OUT: 0.0 - WWAN IN: 31933.0, WWAN OUT:\r\n104150.0\r\n2021-10-30 16:35:24.928030Z Datausage IMTransferAgent/com.apple.MobileSMS (Bundle ID:\r\ncom.apple.MobileSMS, ID: 945)\r\n2021-10-30 16:35:24.935920Z Datausage IMTransferAgent/com.apple.datausage.messages (Bundle ID:\r\ncom.apple.datausage.messages, ID: 946) WIFI IN: 0.0, WIFI OUT: 0.0 - WWAN IN: 47743.0, WWAN\r\nOUT: 6502.0\r\n2021-10-30 16:35:24.937976Z Datausage IMTransferAgent/com.apple.datausage.messages (Bundle ID:\r\ncom.apple.datausage.messages, ID: 946)\r\n2021-10-30 16:36:51.000000Z Manifest\r\nLibrary/Preferences/com.apple.locationd.StatusBarIconManager.plist - HomeDomain\r\n2021-10-30 16:36:51.000000Z Manifest Library/Preferences/com.apple.ImageIO.plist - RootDomain\r\nAnother example: modification of an SMS attachment directory (but no attachment filename), followed by\r\ndata usage of com.apple.WebKit.WebContent, followed by modification of\r\ncom.apple.locationd.StatusBarIconManager.plist. All the events happened within a 1-3 minute timeframe,\r\nindicating the result of a successful zero-click compromise via an iMessage attachment, followed by the\r\ntraces of exploitation and malicious activity.\r\n2022-09-11 19:52:56.000000Z Manifest Library/SMS/Attachments/98 - MediaDomain\r\nhttps://securelist.com/operation-triangulation/109842/\r\nPage 4 of 9\n\n2022-09-11 19:52:56.000000Z Manifest Library/SMS/Attachments/98/08 - MediaDomain\r\n2022-09-11 19:53:10.000000Z Manifest Library/SMS/Attachments/98/08 - MediaDomain\r\n2022-09-11 19:54:51.698609Z OSAnalyticsADDaily com.apple.WebKit.WebContent WIFI IN: 77234150.0,\r\nWIFI OUT: 747603971.0 - WWAN IN: 55385088.0, WWAN OUT: 425312575.0\r\n2022-09-11 19:54:51.702269Z Datausage com.apple.WebKit.WebContent (Bundle ID: , ID: 1125)\r\n2022-09-11 19:54:53.000000Z Manifest\r\nLibrary/Preferences/com.apple.locationd.StatusBarIconManager.plist - HomeDomain\r\n2022-06-26 18:21:36.000000Z Manifest Library/SMS/Attachments/ad/13 - MediaDomain\r\n2022-06-26 18:21:36.000000Z Manifest Library/SMS/Attachments/ad - MediaDomain\r\n2022-06-26 18:21:50.000000Z Manifest Library/SMS/Attachments/ad/13 - MediaDomain\r\n2022-06-26 18:22:03.412817Z OSAnalyticsADDaily com.apple.WebKit.WebContent WIFI IN: 19488889.0,\r\nWIFI OUT: 406382282.0 - WWAN IN: 66954930.0, WWAN OUT: 1521212526.0\r\n2022-06-26 18:22:16.000000Z Manifest Library/Preferences/com.apple.ImageIO.plist - RootDomain\r\n2022-06-26 18:22:16.000000Z Manifest\r\nLibrary/Preferences/com.apple.locationd.StatusBarIconManager.plist - HomeDomain\r\n2022-03-21 21:37:55.000000Z Manifest Library/SMS/Attachments/fc - MediaDomain\r\n2022-03-21 21:37:55.000000Z Manifest Library/SMS/Attachments/fc/12 - MediaDomain\r\n2022-03-21 21:38:08.000000Z Manifest Library/SMS/Attachments/fc/12 - MediaDomain\r\n2022-03-21 21:38:23.901243Z OSAnalyticsADDaily com.apple.WebKit.WebContent WIFI IN: 551604.0,\r\nWIFI OUT: 6054253.0 - WWAN IN: 0.0, WWAN OUT: 0.0\r\n2022-03-21 21:38:24.000000Z Manifest\r\nLibrary/Preferences/com.apple.locationd.StatusBarIconManager.plist - HomeDomain\r\n3. 3 An even less implicit indicator of compromise is inability to install iOS updates. We discovered\r\nmalicious code that modifies one of the system settings file named\r\ncom.apple.softwareupdateservicesd.plist. We observed update attempts to end with an error message\r\n“Software Update Failed. An error ocurred downloading iOS”.\r\nNetwork activity during exploitation\r\nOn the network level, a successful exploitation attempt can be identified by a sequence of several HTTPS\r\nconnection events. These can be discovered in netflow data enriched with DNS/TLS host information, or PCAP\r\ndumps:\r\nLegitimate network interaction with the iMessage service, usually using the domain names *.ess.apple.com\r\nDownload of the iMessage attachment, using the domain names .icloud-content.com, content.icloud.com\r\nMultiple connections to the C\u0026C domains, usually 2 different domains (the list of known domains\r\nfollows). Typical netflow data for the C\u0026C sessions will show network sessions with significant amount of\r\noutgoing traffic.\r\nhttps://securelist.com/operation-triangulation/109842/\r\nPage 5 of 9\n\nNetwork exploitation sequence, Wireshark dump\r\nThe iMessage attachment is encrypted and downloaded over HTTPS, the only implicit indicator that can be used\r\nis the amount of downloaded data that is about 242 Kb.\r\nhttps://securelist.com/operation-triangulation/109842/\r\nPage 6 of 9\n\nEncrypted iMessage attachment, Wireshark dump\r\nC\u0026C domains\r\nUsing the forensic artifacts, it was possible to identify the set of domain name used by the exploits and further\r\nmalicious stages. They can be used to check the DNS logs for historical information, and to identify the devices\r\ncurrently running the malware:\r\naddatamarket[.]net\r\nbackuprabbit[.]com\r\nbusinessvideonews[.]com\r\ncloudsponcer[.]com\r\ndatamarketplace[.]net\r\nmobilegamerstats[.]com\r\nsnoweeanalytics[.]com\r\ntagclick-cdn[.]com\r\nhttps://securelist.com/operation-triangulation/109842/\r\nPage 7 of 9\n\ntopographyupdates[.]com\r\nunlimitedteacup[.]com\r\nvirtuallaughing[.]com\r\nweb-trackers[.]com\r\ngrowthtransport[.]com\r\nanstv[.]net\r\nans7tv[.]net\r\nLatest Posts\r\nLatest Webinars\r\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka\r\nMustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a\r\nkernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nhttps://securelist.com/operation-triangulation/109842/\r\nPage 8 of 9\n\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with\r\nDPAPI and RC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their\r\nsignature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nSource: https://securelist.com/operation-triangulation/109842/\r\nhttps://securelist.com/operation-triangulation/109842/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia", "MITRE" ], "references": [ "https://securelist.com/operation-triangulation/109842/" ], "report_names": [ "109842" ], "threat_actors": [ { "id": "ad08bd3d-e65c-4cfd-874a-9944380573fd", "created_at": "2023-06-23T02:04:34.517668Z", "updated_at": "2026-04-10T02:00:04.842233Z", "deleted_at": null, "main_name": "Operation Triangulation", "aliases": [], "source_name": "ETDA:Operation Triangulation", "tools": [ "TriangleDB" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "113b8930-4626-4fa0-9a3a-bcf3ef86f595", "created_at": "2024-02-06T02:00:04.14393Z", "updated_at": "2026-04-10T02:00:03.578394Z", "deleted_at": null, "main_name": "Operation Triangulation", "aliases": [], "source_name": "MISPGALAXY:Operation Triangulation", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434211, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/888683c08cb1d4c54ac79903fb3c861d86e4899c.pdf", "text": "https://archive.orkl.eu/888683c08cb1d4c54ac79903fb3c861d86e4899c.txt", "img": "https://archive.orkl.eu/888683c08cb1d4c54ac79903fb3c861d86e4899c.jpg" } }