{ "id": "1ba15d1e-6895-4bff-95a2-a06830013806", "created_at": "2026-04-06T00:17:47.5435Z", "updated_at": "2026-04-10T03:37:01.142161Z", "deleted_at": null, "sha1_hash": "98d0f6a0688d735006c63f0d6d1035ac9b97eeb7", "title": "GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 333773, "plain_text": "GALLIUM Expands Targeting Across Telecommunications,\r\nGovernment and Finance Sectors With New PingPull Tool\r\nBy Unit 42\r\nPublished: 2022-06-13 · Archived: 2026-04-05 13:05:34 UTC\r\nExecutive Summary\r\nUnit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by\r\nGALLIUM, an advanced persistent threat (APT) group.\r\nUnit 42 actively monitors infrastructure associated with several APT groups. One group in particular, GALLIUM\r\n(also known as Softcell), established its reputation by targeting telecommunications companies operating in\r\nSoutheast Asia, Europe and Africa. The group’s geographic targeting, sector-specific focus and technical\r\nproficiency, combined with their use of known Chinese threat actor malware and tactics, techniques and\r\nprocedures (TTPs), has resulted in industry assessments that GALLIUM is likely a Chinese state-sponsored group.\r\nOver the past year, this group has extended its targeting beyond telecommunication companies to also include\r\nfinancial institutions and government entities. During this period, we have identified several connections between\r\nGALLIUM infrastructure and targeted entities across Afghanistan, Australia, Belgium, Cambodia, Malaysia,\r\nMozambique, the Philippines, Russia and Vietnam. Most importantly, we have also identified the group’s use of a\r\nnew remote access trojan named PingPull.\r\nPingPull has the capability to leverage three protocols (ICMP, HTTP(S) and raw TCP) for command and control\r\n(C2). While the use of ICMP tunneling is not a new technique, PingPull uses ICMP to make it more difficult to\r\ndetect its C2 communications, as few organizations implement inspection of ICMP traffic on their networks. This\r\nblog provides a detailed breakdown of this new tool as well as the GALLIUM group's recent infrastructure.\r\nPalo Alto Networks customers receive protections from the threats described in this blog through Threat\r\nPrevention, Advanced URL Filtering, DNS Security, Cortex XDR and WildFire malware analysis.\r\nFull visualization of the techniques observed, relevant courses of action and indicators of compromise (IoCs)\r\nrelated to this report can be found in the Unit 42 ATOM viewer.\r\nPingPull Malware\r\nPingPull was written in Visual C++ and provides a threat actor the ability to run commands and access a reverse\r\nshell on a compromised host. There are three variants of PingPull that are all functionally the same but use\r\ndifferent protocols for communications with their C2: ICMP, HTTP(S) and raw TCP. In each of the variants,\r\nPingPull will create a custom string with the following structure that it will send to the C2 in all interactions,\r\nwhich we believe the C2 server will use to uniquely identify the compromised system:\r\nhttps://unit42.paloaltonetworks.com/pingpull-gallium/\r\nPage 1 of 13\n\nPROJECT_[uppercase executable name]_[uppercase computer name]_[uppercase hexadecimal IP address]\r\nRegardless of the variant, PingPull is capable of installing itself as a service with the following description:\r\nProvides tunnel connectivity using IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS. If this service is stopped, the computer will not have the enhanced connectivity benefits that these\r\ntechnologies offer.\r\nThe description is the exact same as the legitimate iphlpsvc service, which PingPull purposefully attempts to\r\nmimic using Iph1psvc for the service name and IP He1per instead of IP Helper for the display name. We have also\r\nseen a PingPull sample use this same service description but with a service name of Onedrive.\r\nThe three variants of PingPull have the same commands available within their command handlers. The commands\r\nseen in Table 1 show that PingPull has the ability to perform a variety of activities on the file system, as well as\r\nthe ability to run commands on cmd.exe that acts as a reverse shell for the actor.\r\nCommand Description\r\nA Enumerate storage volumes (A: through Z:)\r\nB List folder contents\r\nC Read File\r\nD Write File\r\nE Delete File\r\nF Read file, convert to hexadecimal form\r\nG Write file, convert from hexadecimal form\r\nH Copy file, sets the creation, write, and access times to match original files\r\nI Move file, sets the creation, write, and access times to match original files\r\nJ Create directory\r\nK Timestomp file\r\nM Run command via cmd.exe\r\nTable 1. Commands available in PingPull’s command handler.\r\nTo run a command listed in Table 1, the actor would have the C2 server respond to a PingPull beacon with the\r\ncommand and arguments that it encrypts using AES in cipher block chaining (CBC) mode and encodes with\r\nbase64. We have seen two unique AES keys between the known PingPull samples, specifically\r\nP29456789A1234sS and dC@133321Ikd!D^i.\r\nhttps://unit42.paloaltonetworks.com/pingpull-gallium/\r\nPage 2 of 13\n\nPingPull would decrypt the received data and would parse the cleartext for the command and additional arguments\r\nin the following structure:\r\n\u0026[AES Key]=[command]\u0026z0=[unknown]\u0026z1=[argument 1]\u0026z2=[argument 2]\r\nWe are not sure of the purpose of the z0 parameter in the command string, as we observed PingPull parsing for\r\nthis parameter but do not see the value being used. To confirm the structure of the command string, we used the\r\nfollowing string when issuing commands in our analysis environment, which would instruct PingPull to read the\r\ncontents of a file at C:\\test.txt:\r\n\u0026P29456789A1234sS=C\u0026z0=2\u0026z1=c:\\\\test.txt\u0026z2=none\r\nDuring our analysis, PingPull would respond to the command string above with\r\nya1JF03nUKLg9TkhDgwvx5MSFIoMPllw1zLMC0h4IwM=, which decodes to and decrypts (AES key\r\nP29456789A1234sS) to some text in a test file.\\x07\\x07\\x07\\x07\\x07\\x07\\x07, which is the content\r\n(PKCS5_PADDING-padded) of the file C:\\test.txt on our analysis system.\r\nICMP Variant\r\nPingPull samples that use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2\r\nserver. The C2 server will reply to these Echo requests with an Echo Reply packet to issue commands to the\r\nsystem. Both the Echo Request and Echo Reply packets used by PingPull and its C2 server will have the same\r\nstructure as follows:\r\n[8-byte value]R[sequence number].[unique identifier string beginning with “PROJECT”]\\r\\ntotal=[length of total\r\nmessage]\\r\\ncurrent=[length of current message]\\r\\n[base64 encoded and AES encrypted data]\r\nWhen issuing a beacon to its C2, PingPull will send an Echo Request packet to the C2 server with total and\r\ncurrent set to 0 and will include no encoded and encrypted data, as seen in Figure 1.\r\nFigure 1. PingPull ICMP beacon example with hardcoded 8-byte value.\r\nThe data section in the ICMP packet in Figure 1 begins with an 8-byte value of 0x702437047E404103\r\n(\\x03\\x41\\x40\\x7E\\x04\\x37\\x24\\x70) that PingPull has hardcoded in its code, which is immediately followed by a\r\nhardcoded R. However, another PingPull sample that used ICMP for its C2 communications omitted this 8-byte\r\nvalue, as seen in Figure 2.\r\nhttps://unit42.paloaltonetworks.com/pingpull-gallium/\r\nPage 3 of 13\n\nFigure 2. PingPull ICMP beacon example without hardcoded 8-byte value.\r\nAfter the R is a sequence number that increments when sending or receiving data that exceeds the maximum size\r\nof the ICMP data section. The sequence number is immediately followed by a period “.” and then the unique\r\nidentifier string generated by PingPull that begins with PROJECT. The ICMP data section then includes total=\r\n[integer] and current=[integer], which are used by both PingPull and its C2 to determine the total length of the\r\ndata transmitted and the length of the chunk of data transmitted in the current packet. The data transmitted in each\r\nICMP packet comes in the form of a base64-encoded string of ciphertext generated using AES and the key\r\nspecific to the sample. This encoded and encrypted data comes after the new line that immediately follows the\r\n“current” value. For instance, when responding to our test command, PingPull sent the ICMP Echo Request packet\r\nseen in Figure 3 to the C2 server, which has the expected base64-encoded string of\r\nya1JF03nUKLg9TkhDgwvx5MSFIoMPllw1zLMC0h4IwM= for the results of the command.\r\nFigure 3. PingPull responding to command over ICMP.\r\nHTTPS Variant\r\nAnother variant of PingPull uses HTTPS requests to communicate with its C2 server instead of ICMP. The initial\r\nbeacon uses a POST request over this HTTPS channel, using the unique identifier string generated by PingPull as\r\nthe URL. Figure 4 is an example POST request sent by PingPull as a beacon, where samp.exe was the filename,\r\nDESKTOP-U9SM1U2 was the hostname of the analysis system and 172.16.189[.]130 (0xAC10BD82) was the\r\nsystem's IP address.\r\nFigure 4. PingPull HTTPS beacon example.\r\nhttps://unit42.paloaltonetworks.com/pingpull-gallium/\r\nPage 4 of 13\n\nThe initial beacon is a POST request that did not have any data, which resulted in the Content-Length of\r\n0\r\nwithin the HTTP headers. When responding with the results to commands, PingPull will issue a second POST\r\nrequest using the same URL structure with the results in the data section in base64-encoded and encrypted form\r\nusing the AES key. Figure 5 shows PingPull responding to our test command to read the contents of\r\nC:\\test.txt\r\nwith\r\nya1JF03nUKLg9TkhDgwvx5MSFIoMPllw1zLMC0h4IwM=\r\nin the data section of the POST request, which decodes and decrypts to\r\nsome text in a test file.\\x07\\x07\\x07\\x07\\x07\\x07\\x07\r\n.\r\nFigure 5. PingPull responding with results of a command over HTTPS.\r\nTCP Variant\r\nThis variant of PingPull does not use ICMP or HTTPS for C2 communication, rather it uses raw TCP for its C2\r\ncommunication. Much like the other C2 channels, the data sent in this beacon includes the unique identifier string\r\ngenerated by PingPull that begins with PROJECT. However, the TCP C2 channel begins with a 4-byte value for\r\nthe length of data that follows, as seen in the following beacon structure:\r\n[DWORD length of data that follows]PROJECT_[uppercase executable name]_[uppercase computer\r\nname]_[uppercase hexadecimal IP address]\r\nFigure 6 shows an example of the entire TCP communications channel:\r\nThe beacon sent by PingPull in the first red text.\r\nThe C2 issuing a command in the blue text.\r\nPingPull responding to the command in the second red text at the bottom of the image.\r\nhttps://unit42.paloaltonetworks.com/pingpull-gallium/\r\nPage 5 of 13\n\nFigure 6. PingPull TCP beacon, C2 issuing command and PingPull sending result.\r\nThe beacon seen in Figure 6 begins with a data length of 44-bytes (0x2c), with the unique identifier string\r\ngenerated where samp_f86ebe.exe was the filename, DESKTOP-U9SM1U2 was the hostname of the analysis\r\nsystem and 172.16.189[.]130 (0xAC10BD82) was the system's IP address. The C2 response to the beacon begins\r\nwith the data length of 64 bytes (0x40) followed by the base64-encoded string that represents the ciphertext of the\r\ncommand. PingPull ran the command supplied by the C2 and sent the results in a packet that begins with a data\r\nlength of 44 bytes (0x2c), followed by the expected base64-encoded string of\r\nya1JF03nUKLg9TkhDgwvx5MSFIoMPllw1zLMC0h4IwM= for the results of the command.\r\nInfrastructure\r\nOn Sept. 9, 2021, a sample of PingPull named ServerMannger.exe (SHA256:\r\nde14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761) was shared with the cybersecurity\r\ncommunity by an organization in Vietnam. Analysis of this sample revealed that it was configured to call home to\r\nt1.hinitial[.]com. Pivoting on the C2, we identified several subdomains hosted under the hinitial[.]com domain\r\nthat exhibited a similar naming pattern:\r\nt1.hinitial[.]com\r\nv2.hinitial[.]com\r\nv3.hinitial[.]com\r\nv4.hinitial[.]com\r\nv5.hinitial[.]com\r\nDigging deeper into these domains, we began to identify overlaps in certificate use between the various IP\r\ninfrastructure associated with each of the subdomains. One certificate that stood out in particular was an oddly\r\nconfigured certificate with a SHA1 of 76efd8ef3f64059820d937fa87acf9369775ecd5. This certificate was created\r\nwith a 10-year expiration window, a common name of bbb, and no other details, which immediately raised the\r\nquestion of legitimacy.\r\nhttps://unit42.paloaltonetworks.com/pingpull-gallium/\r\nPage 6 of 13\n\nFigure 7. X.509 certificate associated with hinitial[.]com infrastructure.\r\nFirst seen in September 2020, this certificate was linked to six different IP addresses all hosting a variant of the\r\nhinitial[.]com\r\nsubdomains as well as an additional pivot to a dynamic DNS host (\r\nhttps://unit42.paloaltonetworks.com/pingpull-gallium/\r\nPage 7 of 13\n\ngoodjob36.publicvm[.]com\r\n). Continuing this method of pivoting across all of the PingPull samples and their associated C2 domains has\r\nresulted in the identification of over 170 IP addresses associated with this group dating back to late 2020. The\r\nmost recent IP infrastructure is provided below for defensive purposes.\r\nProtections and Mitigations\r\nWe recommend that telecommunications, finance and government organizations located across Southeast Asia,\r\nEurope and Africa leverage the indicators of compromise (IoCs) below to identify any impacts to your\r\norganizations.\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ngroup:\r\nCortex XDR detects and protects endpoints from the PingPull malware.\r\nWildFire cloud-based threat analysis service accurately identifies PingPull malware as malicious.\r\nThreat Prevention provides protection against PingPull malware. The “Pingpull Command and Control Traffic\r\nDetection” signature (threat IDs 86625, 86626 and 86627) provides coverage for the ICMP, HTTP(S) and raw\r\nTCP C2 traffic.\r\nAdvanced URL Filtering and DNS Security identify domains associated with this group as malicious.\r\nUsers of the AutoFocus contextual threat intelligence service can view malware associated with these attacks\r\nusing the PingPull tag.\r\nIf you think you may have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nConclusion\r\nGALLIUM remains an active threat to telecommunications, finance and government organizations across\r\nSoutheast Asia, Europe and Africa. Over the past year, we have identified targeted attacks impacting nine nations.\r\nThis group has deployed a new capability called PingPull in support of its espionage activities, and we encourage\r\nall organizations to leverage our findings to inform the deployment of protective measures to defend against this\r\nthreat group.\r\nSpecial thanks to the NSA Cybersecurity Collaboration Center, the Australian Cyber Security Centre and other\r\ngovernment partners for their collaboration and insights offered in support of this research.\r\nhttps://unit42.paloaltonetworks.com/pingpull-gallium/\r\nPage 8 of 13\n\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their\r\ncustomers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSamples\r\nde14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761\r\nb4aabfb8f0327370ce80970c357b84782eaf0aabfc70f5e7340746f25252d541\r\nfc2147ddd8613f08dd833b6966891de9e5309587a61e4b35408d56f43e72697e\r\nc55ab8fdd060fb532c599ee6647d1d7b52a013e4d8d3223b361db86c1f43e845\r\nf86ebeb6b3c7f12ae98fe278df707d9ebdc17b19be0c773309f9af599243d0a3\r\n8b664300fff1238d6c741ac17294d714098c5653c3ef992907fc498655ff7c20\r\n1ce1eb64679689860a1eacb76def7c3e193504be53ebb0588cddcbde9d2b9fe6\r\nPingPull C2 Locations\r\ndf.micfkbeljacob[.]com\r\nt1.hinitial[.]com\r\n5.181.25[.]55\r\n92.38.135[.]62\r\n5.8.71[.]97\r\nDomains\r\nmicfkbeljacob[.]com\r\ndf.micfkbeljacob[.]com\r\njack.micfkbeljacob[.]com\r\nhinitial[.]com\r\nt1.hinitial[.]com\r\nv2.hinitial[.]com\r\nv3.hinitial[.]com\r\nv4.hinitial[.]com\r\nv5.hinitial[.]com\r\ngoodjob36.publicvm[.]com\r\ngoodluck23.jp[.]us\r\nhelpinfo.publicvm[.]com\r\nMailedc.publicvm[.]com\r\nIP Addresses\r\n(Active in last 30 days)\r\nhttps://unit42.paloaltonetworks.com/pingpull-gallium/\r\nPage 9 of 13\n\n92.38.135[.].62\r\n5.181.25[.]55\r\n5.8.71[.]97\r\n101.36.102[.]34\r\n101.36.102[.]93\r\n101.36.114[.]167\r\n101.36.123[.]191\r\n103.116.47[.]65\r\n103.179.188[.]93\r\n103.22.183[.]131\r\n103.22.183[.]138\r\n103.22.183[.]141\r\n103.22.183[.]146\r\n103.51.145[.]143\r\n103.61.139[.]71\r\n103.61.139[.]72\r\n103.61.139[.]75\r\n103.61.139[.]78\r\n103.61.139[.]79\r\n103.78.242[.]62\r\n118.193.56[.]130\r\n118.193.62[.]232\r\n123.58.196[.]208\r\n123.58.198[.]205\r\n123.58.203[.]19\r\n128.14.232[.]56\r\n152.32.165[.]70\r\n152.32.203[.]199\r\n152.32.221[.]222\r\n152.32.245[.]157\r\n154.222.238[.]50\r\n154.222.238[.]51\r\n165.154.52[.]41\r\n165.154.70[.]51\r\n167.88.182[.]166\r\n176.113.71[.]62\r\n2.58.242[.]230\r\n2.58.242[.]231\r\n2.58.242[.]235\r\n202.87.223[.]27\r\n212.115.54[.]54\r\n37.61.229[.]104\r\nhttps://unit42.paloaltonetworks.com/pingpull-gallium/\r\nPage 10 of 13\n\n45.116.13[.]153\r\n45.128.221[.]61\r\n45.128.221[.]66\r\n45.136.187[.]98\r\n45.14.66[.]230\r\n45.154.14[.]132\r\n45.154.14[.]164\r\n45.154.14[.]188\r\n45.154.14[.]254\r\n45.251.241[.]74\r\n45.251.241[.]82\r\n45.76.113[.]163\r\n47.254.192[.]79\r\n92.223.30[.]232\r\n92.223.30[.]52\r\n92.223.90[.]174\r\n92.223.93[.]148\r\n92.223.93[.]222\r\n92.38.139[.]170\r\n92.38.149[.]101\r\n92.38.149[.]241\r\n92.38.171[.]127\r\n92.38.176[.]47\r\n107.150.127[.]124\r\n118.193.56[.]131\r\n176.113.71[.]168\r\n185.239.227[.]12\r\n194.29.100[.]173\r\n2.58.242[.]236\r\n45.128.221[.]182\r\n45.154.14[.]191\r\n47.254.250[.]117\r\n79.133.124[.]88\r\n103.137.185[.]249\r\n103.61.139[.]74\r\n107.150.112[.]211\r\n107.150.127[.]140\r\n146.185.218[.]65\r\n152.32.221[.]242\r\n165.154.70[.]62\r\n176.113.68[.]12\r\n185.101.139[.]176\r\nhttps://unit42.paloaltonetworks.com/pingpull-gallium/\r\nPage 11 of 13\n\n188.241.250[.]152\r\n188.241.250[.]153\r\n193.187.117[.]144\r\n196.46.190[.]27\r\n2.58.242[.]229\r\n2.58.242[.]232\r\n37.61.229[.]106\r\n45.128.221[.]172\r\n45.128.221[.]186\r\n45.128.221[.]229\r\n45.134.169[.]147\r\n103.170.132[.]199\r\n107.150.110[.]233\r\n152.32.255[.]145\r\n167.88.182[.]107\r\n185.239.226[.]203\r\n185.239.227[.]34\r\n45.128.221[.]169\r\n45.136.187[.]41\r\n137.220.55[.]38\r\n45.133.238[.]234\r\n103.192.226[.]43\r\n92.38.149[.]88\r\n5.188.33[.]237\r\n146.185.218[.]176\r\n43.254.218[.]104\r\n43.254.218[.]57\r\n43.254.218[.]98\r\n92.223.59[.]84\r\n43.254.218[.]43\r\n81.28.13[.]48\r\n89.43.107[.]191\r\n103.123.134[.]145\r\n103.123.134[.]161\r\n103.123.134[.]165\r\n103.85.24[.]81\r\n212.115.54[.]241\r\n43.254.218[.]114\r\n89.43.107[.]190\r\n103.123.134[.]139\r\n103.123.134[.]240\r\n103.85.24[.]121\r\nhttps://unit42.paloaltonetworks.com/pingpull-gallium/\r\nPage 12 of 13\n\n103.169.91[.]93\r\n103.169.91[.]94\r\n45.121.50[.]230\r\nUpdated June 13, 2022, at 4:45 a.m. PT \r\nSource: https://unit42.paloaltonetworks.com/pingpull-gallium/\r\nhttps://unit42.paloaltonetworks.com/pingpull-gallium/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/pingpull-gallium/" ], "report_names": [ "pingpull-gallium" ], "threat_actors": [ { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434667, "ts_updated_at": 1775792221, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/98d0f6a0688d735006c63f0d6d1035ac9b97eeb7.pdf", "text": "https://archive.orkl.eu/98d0f6a0688d735006c63f0d6d1035ac9b97eeb7.txt", "img": "https://archive.orkl.eu/98d0f6a0688d735006c63f0d6d1035ac9b97eeb7.jpg" } }