{
	"id": "d74eaa67-a5da-4a72-be44-6515a26a7239",
	"created_at": "2026-05-06T02:02:26.288868Z",
	"updated_at": "2026-05-06T02:03:52.703123Z",
	"deleted_at": null,
	"sha1_hash": "94a737ef6b9baa8687e3208f90e41b848616c473",
	"title": "“Malware, from the Outside!”: How a Threat Actor Used Fake OpenClaw Installers to Infect Systems with GhostSocks and Information Stealers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7788622,
	"plain_text": "“Malware, from the Outside!”: How a Threat Actor Used Fake\r\nOpenClaw Installers to Infect Systems with GhostSocks and Information\r\nStealers\r\nBy Jai Minton, Ryan Dowd\r\nPublished: 2026-03-04 · Archived: 2026-05-06 02:00:56 UTC\r\nSpecial thanks to Greig Bailey for their effort in triaging and responding to this activity, and Aaron Deal for his tireless\r\nreview and edits of this blog.\r\nSummary\r\nInformation stealers continue to be an initial access vector for severe attacks against publicly facing systems, such as the\r\nSnowflake customer database compromise in 2024, and a Romanian oil pipeline operator compromise in 2026. This blog\r\ndetails an investigation into malicious GitHub repositories posing as OpenClaw installers that were available between the\r\n2nd and 10th of February 2026. The OpenClaw installers were fake with low detection rates, and distributed information\r\nstealers that used a novel packer called Stealth Packer. \r\nThe installers also delivered malware known as GhostSocks to allow threat actors to circumvent anti-fraud detections by\r\nrouting traffic through the victim's own system. This technique can trick security checks into thinking the threat actor is the\r\nactual user, making it much easier for threat actors to circumvent MFA or anti-fraud checks that would otherwise flag an\r\nunauthorized login.\r\nThe campaign did not target a particular industry, but was broadly targeting users attempting to install OpenClaw with the\r\nmalicious repositories containing download instructions for both Windows and macOS environments. What made this\r\nsuccessful was that the malware was hosted on GitHub, and the malicious repository became the top-rated suggestion in\r\nBing’s AI search results for OpenClaw Windows. \r\nKey takeaways\r\nA malicious GitHub repository was promoted via Bing AI search results for OpenClaw Windows, a technique similar\r\nto a campaign we observed in December. In that instance, attackers poisoned search results and exploited the shared\r\nchat features of ChatGPT and Grok to trick users into downloading the AMOS stealer, whereas in this instance just\r\nhosting the malware on GitHub was enough to poison Bing AI search results.\r\nThe malicious GitHub repository contained installation instructions which, if followed, would run information\r\nstealers and GhostSocks malware on a Windows system, and Atomic MacOS Stealer (AMOS) on a MacOS system.\r\nStealth Packer is a new packer that injects malware into memory, adds firewall rules, creates hidden ghost scheduled\r\ntasks, and performs potential AntiVM checks for mouse movement before running decrypted payloads.\r\nGhostSocks, a tool previously utilized by the BlackBasta ransomware group, turns compromised systems into\r\nproxies. It allows threat actors to bypass anti-fraud or MFA checks when logging into accounts with credentials\r\nharvested by deployed information stealers or, more broadly, to route their attacks directly through the victim's\r\nnetwork.\r\nEven with a legitimate OpenClaw installation, users face a significant risk, as OpenClaw configurations contain an\r\narray of sensitive information, including passwords, API keys, and more. If an information stealer compromises the\r\nsystem, it can harvest not only account credentials but also sensitive OpenClaw configuration files, as previously\r\nreported by Hudson Rock.\r\nJust because software is hosted on a trusted platform doesn’t mean that it’s not malicious. Users should not blindly\r\ntrust that the releases of code on GitHub are actually related to the code in the repository.\r\nBackground\r\nhttps://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer\r\nPage 1 of 16\n\nMuch like the aliens from Toy Story who worshipped a claw, OpenClaw is taking the world by storm and developing a lot of\r\nfollowers. After originally being released as Clawdbot in November of 2025, promising to be a personal open-source AI\r\nassistant, it was subsequently rebranded as Moltbot in late January of 2026, before once again being rebranded three days\r\nlater to OpenClaw. Despite these rebrands, OpenClaw has become a global hit with the project quickly gaining tens of\r\nthousands of forks and hundreds of thousands of stars on GitHub, indicating users are appreciative of the project and want to\r\nstay updated about any changes to it.\r\nFigure 1: OpenClaw star history, from original GitHub repository courtesy of star-history.com\r\nWith any new popular technology or global change that impacts a large number of people comes threat actors who are\r\nwilling to capitalize on it to steal credentials and sell access to others for personal gain. So, it’s no surprise that threat actors\r\nhave begun using the popularity of OpenClaw to trick unsuspecting users into installing malware on their machines.\r\nOn Monday, February 9, Huntress was alerted to a system showing signs of infection after a user downloaded and ran an\r\ninstaller from GitHub posing as an OpenClaw installer for Windows. This came as the top-rated suggestion when searching\r\nfor OpenClaw Windows, making it highly likely that other users would have fallen victim to this attack had Huntress not\r\nreported the malicious repository and GitHub not been so responsive in taking it down.\r\nhttps://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer\r\nPage 2 of 16\n\nIn-depth analysis of the threat\r\nAnalysis revealed that this user had searched for the term OpenClaw Windows through Bing and had the AI suggestion link\r\ndirectly to a newly created malicious GitHub repository openclaw-installer.\r\nFigure 2: Bing AI search result linking to a malicious installer hosted on GitHub.\r\nWhilst previously Huntress reported on AI chatbots being abused to trick users into running malicious commands, this time\r\nit came from Bing’s AI, which natively recommended installing OpenClaw from a malicious GitHub repository.\r\nAt first glance, the GitHub repository could easily be mistaken for a legitimate installer. It’s even tied to a GitHub\r\norganisation called openclaw-installer to give it a level of inherent trust that extends beyond a random user account simply\r\nposting the repository.\r\nFigure 3: Fake Openclaw installer GitHub organisation\r\nhttps://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer\r\nPage 3 of 16\n\nFigure 4: Fake Openclaw installer GitHub Readme\r\nTo an untrained LLM or “AI” system, such a repository could easily look like a legitimate installer; however, to an\r\nexperienced human, this facade quickly fades when you see the intended installation method for macOS systems is to run a\r\nbash 1-liner that reaches out to a separate organisation puppeteerrr and repository dmg. We will go more into this repository\r\nlater in the blog.\r\nFigure 5: Openclaw installer GitHub organisation\r\nLooking at the account involved in the fake OpenClaw installer revealed that the user first joined GitHub in September of\r\n2025. They performed no public actions until they opened an issue on the official OpenClaw repository on January 30,\r\npromoting a different GitHub repository openclaw-trading-assistant, under the organisation molt-bot. This issue was closed\r\nshortly after to remove traces of self-promotion, and an identical issue was raised before a member of OpenClaw closed it\r\noff as spam.\r\nhttps://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer\r\nPage 4 of 16\n\nFigures 6: Closed Openclaw issues raised by threat actor GitHub account\r\nFigure 7: Original Openclaw issues raised by threat actor GitHub account\r\nThis repository and organisation have since been taken down, and it’s likely it contained malware.\r\nThe user account is also linked to a non-existent X account in its bio, possibly to appear more legitimate, and used a picture\r\nfrom a different X account with nearly 200k followers.\r\nhttps://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer\r\nPage 5 of 16\n\nFigure 8: Largely inactive GitHub account tied to malicious OpenClaw repository\r\nLooking at the code inside of OpenClaw-Installer reveals that it is largely just legitimate code taken from the Cloudflare\r\nproject moltworker and has nothing to do with the executables found in the releases section.\r\nFigure 9: moltworker code comparison to OpenClaw-Installer source\r\nWithin the releases section, the malicious executable can be found named OpenClaw_x64.exe inside of a 7-Zip archive.\r\nThis is a bloated binary that had the original name TradeAI.exe. A search for similar files on VirusTotal revealed three other\r\nsamples, two of which appeared possibly related and malicious with no detections, and one of which appears to be the only\r\nsigned executable. All of these claimed to be an Automatic hardware driver update tool by TradeAI nofilabs and had no or\r\nlow detection rates on VirusTotal.\r\nFigure 10: Potentially malicious samples with low or no detection rates on VirusTotal\r\nIndicator SHA256 Description\r\nTradeAI.exe 249058ce8dc6e74cff9fb84d4d32c82e371265b40d02bb70b7955dceea008139\r\nUnsigned, likely\r\nmalicious executable\r\nsimilar to the fake\r\nOpenClaw installer.\r\nHas a PDB of\r\nWormGpt.pdb, a large\r\nlanguage model\r\nknown to be used to\r\ndevelop malware.\r\nhttps://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer\r\nPage 6 of 16\n\nTradeAI.exe 0b6ed577b993fd81e14f9abbef710e881629b8521580f3a127b2184685af7e05\r\nUnsigned, likely\r\nmalicious executable\r\nsimilar to the fake\r\nOpenClaw installer.\r\nHas an original PDB\r\nof Setup_Soft.pdb\r\nTradeAI.exe b73bd2e4cb16e9036aa7125587c5b3289e17e62f8831de1f9709896797435b82\r\nSigned, potentially\r\nlegitimate executable\r\nthat’s been used to\r\nembed malicious code\r\ninto. Has an original\r\nPDB of\r\nTradeAIbot.exe\r\nUpon execution of OpenClaw_x64.exe, Huntress observed multiple pieces of malware being deployed to the endpoint, many\r\nof which were quarantined by Windows Managed AV and Managed Defender for Endpoint. The vast majority of executables\r\nwere loaders created in Rust designed to run information stealers in memory. A full breakdown of the binaries observed and\r\ntheir associated indicators are included in the indicators of compromise section at the bottom of this blog. However, some\r\nnotable binaries were named cloudvideo.exe, svc_service.exe, and serverdrive.exe.\r\ncloudvideo.exe is a Vidar stealer payload that reaches out to both Telegram and Steam user profiles to retrieve dynamic C2\r\ninformation based on the channel and user profile name.\r\nFigure 11: Telegram channel used for\r\nVidar C2 configuration retrieval\r\nFigure 12: Steam account used for Vidar C2 configuration retrieval\r\nhttps://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer\r\nPage 7 of 16\n\nLooking at the PDB, strings, and mutexes created in some of the malware observed indicates the threat actor is possibly\r\nusing a new packer called stealth packer. This was most prominent within a binary called svc_service.exe suspected to be a\r\nRust-based malware loader that runs PureLogs Stealer in memory. This also contained a PDB of stealth_packer, and created\r\na Mutex called StealthPackerMutex_9A8B7C.\r\nFigure 13: Strings from svc_service.exe mentioning Stealth Packer\r\nA number of debugging messages in this sample also provide clues about the functionality of stealth packer, including\r\ninvoking malware into memory, adding firewall rules, creating hidden ghost scheduled tasks, and potential AntiVM checks\r\nto look for mouse movement prior to running decrypted payloads. These are included in the gist below.\r\nserverdrive.exe is a GhostSocks backconnect proxy that is decrypted from the embedded resource WKANKGV and is\r\ncopied to a file called update.exe, before setting a user run key to execute this for persistence. GhostSocks turns\r\ncompromised machines into a proxy that can be used by the threat actor as a way to bypass anti-fraud checks when\r\naccessing accounts through credentials stolen by the deployed information stealers, or more broadly, to allow attacks to be\r\nrouted through the compromised system. In addition to this, GhostSocks has previously been reported as a key tool used by\r\nthe BlackBasta ransomware operators for persistent access to systems. \r\nThe executable uses TLS for connections, which is a change to original variants, which would use unencrypted HTTP.\r\nInterestingly, this variant contained a check for a particular argument (--johnpidar) which if provided would launch the\r\nmalware in debugging mode, providing more insight into its configuration.\r\nFigure 14: GhostSocks launched in debug mode using --johnpidar argument\r\nIn this instance, GhostSocks had two primary helper addresses and four pieces of embedded configuration data shown which\r\ncorrespond to the following:\r\nPrimary Helper URL: hxxps[://]147[.]45[.]197[.]92:443\r\nFallback Helper URL: hxxps[://]94[.]228[.]161[.]88:443\r\nBuild Version: 0Ltr.aBz53Pe\r\nPotential Proxy Username (Unconfirmed): I5QNQdQDbyn0NTWxg7PyY1rLo0LaFBV1\r\nPotential Proxy Password (Unconfirmed): aUGAQ9B55kebH9fzaSLN0q7GNs0xCzKi\r\nPotential Affiliate User ID (Unconfirmed): MVIW08SirgnAgiHfoXGht42r\r\nUpon reaching out to the primary helper addresses, more IP addresses are made available to the malware on subsequent\r\nruns. These are stored within an encrypted configuration file at %AppData%\\config.\r\nFigure 15: Encrypted GhostSocks configuration\r\nhttps://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer\r\nPage 8 of 16\n\nThe encrypted configuration is trivially decrypted using the XOR key config.\r\nFigure 16: Decrypted GhostSocks configuration\r\nIdentified addresses that were downloaded to this config file are included in the indicators of compromise section.\r\nRevisiting the GitHub account used for delivering macOS malware, this closely mirrored the first malicious GitHub profile.\r\nNotably, whilst the first account was used to promote and distribute the fake Windows installer, its install command for\r\nMacOS would instead pull and run malware from a separate repository called dmg under a newly created organisation\r\npuppeteerrr, which in itself is a major red flag. Much like the first account, the second account, which created the\r\norganisation and repository, was also first opened in September, and had no public activity up until early February when the\r\nmalicious organisation puppeteerrr and associated repository dmg were created.\r\nFigure 17: Account used in puppeteerrr organisation and dmg repository\r\nThe repository contained a number of files that followed a theme of containing a shell script paired with a Mach-O\r\nexecutable.\r\nhttps://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer\r\nPage 9 of 16\n\nFigure 18: Malware hosted on GitHub repository dmg under puppeteerrr organisation\r\nIn Figure 18, CBpredict would be a shell script 1-liner to download, make executable, and run CBpredictbot, much the same\r\nas OpenClaw would be used to download, make executable, and run OpenClawBot.\r\nFigure 19: Launcher script used to download and run OpenClawBot executable\r\nThe bash 1-liner is a rudimentary deployment of an ad-hoc signed Mach-O binary. A file is downloaded to $tmpdir (a\r\nrandom location under /var/folders), while all extended attributes are stripped from the file. This is likely in an attempt to\r\ncircumvent GateKeeper controls; however, curl will not add the com.apple.quarantine flag, which renders this largely\r\nunnecessary. Execute permissions are added to the file, and it is ultimately executed under the context of the user.\r\nStatic analysis of the ~500kb OpenClawBot binary reveals very few readable strings, indicative of encryption. Execution of\r\nactions decrypted at runtime is indicative of information stealers and correlates strongly with this being a variant of Atomic\r\nMacOS Stealer (AMOS). Namely, Terminal is terminated, and the OpenClawBot process requests Administrative\r\ncredentials, which are validated with dscl before requesting the appropriate TCC permissions to automate an infostealing\r\nAppleScript. The script itself traverses TCC-protected locations such as Documents, Downloads, and Desktop, looking for\r\nfiles with the extensions: pdf, txt, rtf, log, md, text, json, env, xlsx, xls, ods, docx, png, and doc.  \r\nFigure 20: AppleScript prompt for Administrative credentials\r\nhttps://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer\r\nPage 10 of 16\n\nFigure 21: Infostealer script executed once Administrative credentials and TCC privileges have been provided\r\nOnce the filegrabber method has captured the target files, ditto is used to prepare and archive the cache of data.\r\nFigure 22: Ditto archive instead of zip in order to avoid detection\r\nFigure 23: POST request containing captured content to malicious domain\r\nIt’s worth noting that in the hours after receiving the OpenClawBot for analysis, our researchers observed that the latest\r\nupdates to XProtect.yara (version: 5329) detect this file under a new rule, MACOS.SOMA.CLBIFEA. As such, it will fail\r\nto run on any macOS system with the latest XProtect rules applied.\r\nhttps://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer\r\nPage 11 of 16\n\nhttps://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer\r\nPage 12 of 16\n\nFigures 24 \u0026 25: XProtect.yara rule to detect OpenClawBot and xp_malware_detected ES event JSON output supplied by\r\neslogger detailing enforcement of this rule. \r\nIndicator Type SHA256 Description\r\nOpenClawBot Executable e13d9304f7ebdab13f6cb6fae3dff3a007c87fed59b0e06ebad3ecfebf18b9fd\r\nMach-O\r\nuniversal\r\nbinary with\r\narchitecture\r\n[x86_64:M\r\nO 64-bit\r\nexecutable\r\nx86_64]\r\n[arm64:Ma\r\nO 64-bit\r\nexecutable\r\narm64]\r\nhxxps[://]socifiapp[.]com/api/reports/upload Domain N/A\r\nData\r\nexfiltration\r\nlocation\r\nExtra campaign insights\r\nWhilst creating this blog, Huntress identified three other organisations and accounts used to distribute similar malicious\r\ninstallers suspected to be deploying information stealers. Interestingly, one of these mimics the original openclaw-installer\r\nand was created a day after the original account, organisation, and repository were taken down. All have been reported to\r\nGitHub.\r\nhttps://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer\r\nPage 13 of 16\n\nOrganisation Repository\r\nUser\r\nAccount\r\nNote\r\nEmail Associated with User\r\nAccount\r\nsimple-claw simpleclaw JSfOMGi2\r\nCreated repository\r\nFebruary 4, 2026. Fake\r\nSimpleClaw installer\r\njessicajacksonfusg[@]hotmail[.]com\r\nComfyUI-easyComfyUI-auto-installer\r\npblockbDerp4\r\nCreated repository\r\nDecember 24, 2025. Fake\r\nComfy UI Auto Installer.\r\nUser image is taken from\r\n@dannysmith on X.\r\nssljrrausv886[@]hotmail[.]com\r\ninstall-openclawopenclaw-installer\r\nwgodbarrelv4\r\nCreated repository\r\nFebruary 11, 2026. User\r\nimage is taken from\r\n@pradeep on X.\r\njameswilsonlbum[@]hotmail.com\r\nConclusion\r\nThe Huntress Threat Detection and Response function came together to detect, respond, and impede ongoing malicious\r\nactivity from the fake OpenClaw installers. After the Huntress SOC was able to identify the malicious activity, isolate the\r\nimpacted system, and report it to the impacted Huntress partner, Huntress’ Detection Engineering and Threat Hunting\r\n(DE\u0026TH) function reported the malicious GitHub repositories, accounts, and organisations, and within eight hours of\r\nreporting these, they had been taken down by GitHub.\r\nAs new technologies grow in popularity, so does the risk of threat actors leveraging these technologies in new lures to infect\r\nunsuspecting users. As your most technical users are often granted administrator privileges, this makes them a high risk.\r\nEnsuring even your most technical users who are experimenting with these technologies understand the risks posed and how\r\nto spot malicious installers is just one of the ways you can layer your defenses to prevent an incident from occurring in your\r\nenvironment.\r\nIndicators of compromise (IOCs)\r\nName Type SHA256\r\nC:\\Users\\REDACTED_USER\\Downloads\\OpenClaw_x64\\OpenClaw_x64.exe Executable 518ff5fbfa4296abf38dfc342107f70e1491a7460978d\r\nC:\\Users\\Public\\Pictures\\ServiceHost\\UpdateAgent\\cloudvideo.exe Executable f03e38e1c39ac52179e43107cf7511b9407edf83c008\r\nC:\\Users\\Public\\Music\\AudioController\\USBHelper\\svc_service.exe Executable 40fc240febf2441d58a7e2554e4590e172bfefd289a5\r\nC:\\Users\\Public\\Pictures\\SystemComponent\\WindowsDriver\\WinHealhCare.exe Executable fd67063ffb0bcde44dca5fea09cc0913150161d7cb13\r\nC:\\Users\\Public\\Documents\\DriverController\\ServiceManager\\OneSync.exe Executable d5dffba463beae207aee339f88a18cfcd2ea2cd3e36e9\r\nhttps://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer\r\nPage 14 of 16\n\nC:\\Users\\REDACTED_USER\\AppData\\Local\\Microsoft\\OneDriveSyncHost.exe Executable d5dffba463beae207aee339f88a18cfcd2ea2cd3e36e9\r\nC:\\Users\\REDACTED_USER\\AppData\\Local\\Temp\\MicrosoftSync.exe Executable d5dffba463beae207aee339f88a18cfcd2ea2cd3e36e9\r\nC:\\Users\\REDACTED_USER\\AppData\\Roaming\\Adobe\\AdobeCloudHelper.exe Executable d5dffba463beae207aee339f88a18cfcd2ea2cd3e36e9\r\nC:\\Users\\Public\\Documents\\GraphicsDriver\\IntelAdapter\\serverdrive.exe Executable a22ddb3083b62dae7f2c8e1e86548fc71b63b7652b5\r\n%AppData%\\Microsoft\\Windows\\Cache\\update.exe Executable a22ddb3083b62dae7f2c8e1e86548fc71b63b7652b5\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\r\n{BackgroundTask}\r\nRun Key N/A\r\nEdgeUpdateHelper\r\nScheduled\r\nTask\r\nd5dffba463beae207aee339f88a18cfcd2ea2cd3e36e9\r\nserverconect[.]cc Domain N/A\r\nhxxps[://]telegram[.]me/dikkh0k URL N/A\r\nhxxps[://]steamcommunity[.]com/profiles/76561198742377525 URL N/A\r\n185[.]196[.]9[.]98 IP Address N/A\r\nGlobal\\{SystemMgr4902}_851586903 Mutex N/A\r\nGlobal\\StealthPackerMutex_9A8B7C Mutex N/A\r\nc10f845f3942 Mutex N/A\r\n121[.]127[.]33[.]212\r\n144[.]31[.]123[.]157\r\n144[.]31[.]139[.]201\r\n144[.]31[.]139[.]203\r\n144[.]31[.]204[.]136\r\n144[.]31[.]204[.]145\r\n147[.]45[.]197[.]92\r\n172[.]245[.]112[.]202\r\n193[.]143[.]1[.]155\r\nIP Address N/A\r\nhttps://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer\r\nPage 15 of 16\n\n193[.]143[.]1[.]160\r\n193[.]23[.]211[.]29\r\n194[.]28[.]225[.]230\r\n206[.]245[.]157[.]177\r\n64[.]188[.]70[.]194\r\n77[.]239[.]120[.]249\r\n77[.]239[.]121[.]3\r\n84[.]201[.]4[.]120\r\n87[.]251[.]87[.]137\r\n93[.]185[.]159[.]90\r\n94[.]228[.]161[.]88\r\nOpenClawBot Executable e13d9304f7ebdab13f6cb6fae3dff3a007c87fed59b0e\r\nhxxps[://]socifiapp[.]com/api/reports/upload Domain N/A\r\nSource: https://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer\r\nhttps://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer"
	],
	"report_names": [
		"openclaw-github-ghostsocks-infostealer"
	],
	"threat_actors": [],
	"ts_created_at": 1778032946,
	"ts_updated_at": 1778033032,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/94a737ef6b9baa8687e3208f90e41b848616c473.pdf",
		"text": "https://archive.orkl.eu/94a737ef6b9baa8687e3208f90e41b848616c473.txt",
		"img": "https://archive.orkl.eu/94a737ef6b9baa8687e3208f90e41b848616c473.jpg"
	}
}