{
	"id": "f48a83e6-d319-439d-b29a-23997ad11a84",
	"created_at": "2026-04-06T00:11:29.68072Z",
	"updated_at": "2026-04-10T13:11:52.358097Z",
	"deleted_at": null,
	"sha1_hash": "a2eb19d11e6716e3f967d84b5be45d202acbcbdb",
	"title": "Analysis of two arbitrary code execution vulnerabilities affecting WPS Office",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1192255,
	"plain_text": "Analysis of two arbitrary code execution vulnerabilities affecting\r\nWPS Office\r\nBy Romain Dumont\r\nArchived: 2026-04-05 19:19:53 UTC\r\nESET researchers discovered a code execution vulnerability in WPS Office for Windows (CVE-2024-7262), as it\r\nwas being exploited by APT-C-60, a South Korea-aligned cyberespionage group. Upon analyzing the root cause,\r\nwe subsequently discovered another way to exploit the faulty code (CVE-2024-7263). Following a coordinated\r\ndisclosure process, both vulnerabilities are now patched – in this blogpost, we provide technical details. \r\nKey points of the blogpost:\r\nAPT-C-60 weaponized a code execution vulnerability in WPS Office for Windows (CVE-2024-\r\n7262) in order to target East Asian countries.\r\nA root cause analysis of this vulnerability is provided along with a description of its\r\nweaponization.\r\nThe study of the exploit led ESET researchers to the discovery of an alternative path to exploit\r\nthe vulnerability (CVE-2024-7263).\r\nOverview\r\nWhile investigating APT-C-60 activities, we found a strange spreadsheet document referencing one of the group’s\r\nmany downloader components. Our analysis led us to the discovery of a code execution vulnerability in WPS\r\nOffice for Windows being exploited in the wild by APT-C-60 to target East Asian countries. The final payload is a\r\ncustom backdoor we internally named SpyGlace, publicly documented by ThreatBook as TaskControler.dll.\r\nAccording to the WPS website, this software has over 500 million active users worldwide, which makes it a good\r\ntarget to reach a substantial number of individuals in the East Asia region. During our coordinated vulnerability\r\ndisclosure process, DBAPPSecurity independently published an analysis of the weaponized vulnerability and\r\nconfirmed that APT-C-60 has exploited the vulnerability to deliver malware to users in China.\r\nThe malicious document (SHA-1: 7509B4C506C01627C1A4C396161D07277F044AC6) comes as an MHTML\r\nexport of the commonly used XLS spreadsheet format. However, it contains a specially crafted and hidden\r\nhyperlink designed to trigger the execution of an arbitrary library if clicked when using the WPS Spreadsheet\r\napplication. The rather unconventional MHTML file format allows a file to be downloaded as soon as the\r\ndocument is opened; therefore, leveraging this technique while exploiting the vulnerability provides for remote\r\ncode execution. Figure 1 shows how the document is displayed in WPS Spreadsheet: an image of rows and\r\ncolumns referencing the Coremail email solution, used as a decoy. The image hides the malicious hyperlink. \r\nhttps://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/\r\nPage 1 of 13\n\nFigure 1. The exploit document embeds a picture hiding the malicious hyperlink\r\nFollowing our coordinated vulnerability disclosure policy, from the moment the weaponized document was\r\nuploaded to VirusTotal to the release of this blogpost, the following timeline was observed:\r\n2024-02-29: The exploit document for CVE-2024-7262 was uploaded to VirusTotal.\r\n2024-03-??: Kingsoft released an update that silently patched the CVE-2024-7672 vulnerability so that the\r\n2024-02-29 exploit no longer worked. This was determined retrospectively, by analyzing all accessible\r\nWPS Office releases between 2024-03 and 2024-04, as Kingsoft was not especially forthcoming in\r\nproviding precise details of its actions when attempting to repair this vulnerability.\r\n2024-04-30: We analyzed the malicious document from VirusTotal and discovered it was actively\r\nexploiting CVE-2024-7262, which was a zero-day vulnerability at the time of the document’s initial use.\r\nWe also discovered that Kingsoft’s silent patch addressed only one part of the faulty code, and the\r\nremaining flawed code was still exploitable.\r\n2024-05-25: We contacted Kingsoft to report our findings. While the first vulnerability was already\r\npatched, we asked if they could create a CVE entry and/or a public statement as they had for CVE-2022-\r\n24934.\r\n2024-05-30: Kingsoft acknowledged the vulnerabilities and told us they would keep us updated.\r\n2024-06-17: We asked for an update.\r\n2024-06-22: Kingsoft told us the development team was still working on it and was aiming to fix this in the\r\ncoming version.\r\n2024-07-31: Based on later tests, we found that CVE-2024-7263 was silently patched. We advised Kingsoft\r\nthat we had reserved and were preparing CVE-2024-7262 and CVE-2024-7263.\r\n2024-08-11: DBAPPSecurity team independently published its findings.\r\n2024-08-15: CVE-2024-7262 and CVE-2024-7263 were published.\r\n2024-08-16: We asked Kingsoft for another update.\r\n2024-08-22: Kingsoft acknowledged it had fixed CVE-2024-7263 by the end of May, which contradicts the\r\ncompany’s claim on 2024-06-22 that its development team “are still working on it”.\r\n2024-08-28: Kingsoft has acknowledged both vulnerabilities and that it has patched both. However, it has\r\nexpressed no interest in publicizing the in-the-wild exploitation of CVE-2024-7262 so we are now\r\npublishing this blogpost to warn Kingsoft’s customers that they should urgently update WPS Office due to\r\nin-the-wild exploitation and third-party disclosure of the CVE-2024-7262 vulnerability and exploit, which\r\nincrease the chances of further exploitation.\r\nhttps://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/\r\nPage 2 of 13\n\nThe CVE-2024-7262 vulnerability stemmed from the lack of sanitization of an attacker-provided file path and\r\nlack of validation of the plugin being loaded. After analyzing its patch, we discovered another way to exploit the\r\nvulnerability by leveraging a further logic bug.\r\nCVE-2024-7262\r\nThis section describes the bug exploited by APT-C-60 that allows code execution via hijacking the control flow of\r\nthe WPS Office plugin component promecefpluginhost.exe. We also explain how the vulnerability was triggered\r\nand weaponized in the shape of a legitimate-looking spreadsheet document.\r\nRoot cause analysis\r\nWhen installing WPS Office for Windows, the software suite registers a custom protocol handler called ksoqing\r\nthat allows the execution of an external application whenever a user clicks on a URL starting with the URI scheme\r\nksoqing://. In the Windows operating system, the registration of a custom protocol handler is done in the registry.\r\nIn this case, the default value under the key HKCR\\ksoqing\\shell\\open\\command directs Windows to execute\r\nC:\\Users\\\u003cUSER\u003e\\AppData\\Local\\Kingsoft\\WPS Office\\\u003cVERSION\u003e\\office6\\wps.exe with the argument\r\n/qingbangong \"%1\" where %1 is replaced with the full URL. To illustrate this, Figure 2 shows what happens when\r\na user clicks on a hyperlink using the custom protocol ksoqing inside the WPS Spreadsheet application (et.exe).\r\nFigure 2. The WPS Spreadsheet application starts wps.exe to handle the custom protocol ksoqing\r\nFigure 3 provides an overview of the control flow of the exploit for CVE-2024-7262.\r\nFigure 3. Overview of the exploit’s control flow\r\nhttps://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/\r\nPage 3 of 13\n\nOnce launched, wps.exe loads qingbangong.dll, the component responsible for parsing and validating certain\r\nparameters from the hyperlink. The malicious link in the exploit file we found has the following format\r\nksoqing://type=ksolaunch\u0026cmd=\u003cbase64-encoded string\u003e\u0026token=\u003cMD5\r\nhash\u003e\u0026launchname=promecefpluginhost.exe. According to our analysis and tests, this results in launching an\r\napplication already present on the system (in this case, promecefpluginhost.exe), with the attacker-provided\r\nbase64-encoded command line.\r\nThe token parameter is the MD5 hash of the encoded value of the cmd parameter concatenated with the string\r\n_qingLaunchKey_ followed by the encoded value of the launchname parameter. The last one must be an\r\nexecutable located under C:\\Users\\\u003cUSER\u003e\\AppData\\Local\\Kingsoft\\WPS Office\\\u003cVERSION\u003e\\office6\\ and\r\nsigned with a valid certificate from Kingsoft.\r\nAfter decoding the cmd parameter, we found that the command line /qingbangong -CefParentID=1 -\r\nJSCefServicePath=\u003cbase64-encoded file path\u003e is passed to promecefpluginhost.exe. After some initialization, the\r\nlibrary ksojscore.dll is loaded and decodes the JSCefServicePath parameter. The result is a string passed as a\r\nparameter to Qt’s QLibrary::load method. This file path is attacker-defined, which means that an attacker could\r\nachieve code execution by loading an arbitrary DLL. Figure 4 illustrates how the attacker-controlled\r\nJSCefServicePath parameter is processed by ksojscore.dll.\r\nFigure 4. Parameter JSCefServicePath is decoded (left) and used as an argument for the\r\nQLibrary::load method (right)\r\nEssentially, it is possible to abuse the ksoqing scheme protocol and create a hyperlink that when clicked will load\r\na library from a given remote file path. APT-C-60 weaponized the vulnerability to execute its first-stage trojan\r\ndownloader component (SHA-1: 08906644B0EF1EE6478C45A6E0DD28533A9EFC29).\r\nExploiting the vulnerability\r\nIn order to exploit this vulnerability, an attacker would need to store a malicious library somewhere accessible by\r\nthe targeted computer either on the system or on a remote share, and know its file path in advance. The exploit\r\ndevelopers of this vulnerability knew a couple of tricks that helped them achieve this.\r\nLeveraging the MHTML format to download remote files\r\nThe authors of the exploit chose to leverage a specific feature of the supported MHTML file format to have their\r\nmalicious component downloaded and stored on the system in a predictable way. This particular type of file is an\r\nexport format offered by Microsoft Word and Excel applications to allow users to view documents in their\r\nhttps://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/\r\nPage 4 of 13\n\nbrowser. It is a multipart archive containing HTML, CSS, and JavaScript files that facilitate the display of the\r\ndocument. By inserting an img tag inside one of the HTML files, it is possible to make the Spreadsheet application\r\ndownload a remote file when the document is being loaded. For instance, Figure 5 shows one of our test files with\r\nthe img tag and its src element pointing to a library stored locally.\r\nFigure 5. img tag insertion\r\nWhen opening the spreadsheet document with the WPS Spreadsheet et.exe application, the remote library is\r\nautomatically downloaded and stored on disk, as observed using ProcMon shown in Figure 6.\r\nFigure 6. The WPS Spreadsheet application downloads and stores our library on the system\r\nFinding a predictable file path\r\nAs for the predictable file path problem, we found that the downloaded files are stored under\r\n%localappdata%\\Temp\\wps\\INetCache\\ and the filename is the MD5 hash of the URL encoded in UTF‑16LE. For\r\ninstance, our URL was http://localhost/Dll1.dll for which the MD5 hash is\r\n914CBE6372D5B7C93ADDC4FEB5E964CD. However, when trying to set the variable JSCefServicePath to\r\npoint to such a file path, it gets concatenated to the root directory of the WPS Office application located under\r\n%localappdata%\\Kingsoft\\WPS Office\\\u003cVERSION\u003e\\office6\\. If the file cannot be found, promecefpluginhost.exe\r\nwill try to retrieve the library from other paths, as shown in Figure 7.\r\nhttps://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/\r\nPage 5 of 13\n\nFigure 7. The file path pointed to by JSCefServicePath is appended to the root directory of WPS\r\nOffice\r\nHowever, it is possible to use a relative path from the root directory of the WPS Office application, such as\r\n..\\..\\..\\..\\Temp\\wps\\INetCache\\914cbe6372d5b7c93addc4feb5e964cd.\r\nThe file extension problem\r\nThere’s a last obstacle to overcome. An astute reader would have probably noticed that the .dll extension gets\r\nappended to the filename when the promecefpluginhost.exe process tries to load the library. As seen in Figure 6,\r\nthe extension is not appended when the downloaded file is created. The authors of the exploit, once again, used\r\ntheir knowledge of the Windows API to bypass this restriction. As mentioned earlier, the QLibrary::Load method\r\nis responsible for loading the library which in turn calls LoadLibraryW. The documentation for the lpLibFileName\r\nparameter passed to this function states that adding a trailing dot character (.) prevents the function from\r\nappending the .dll extension. Therefore, appending this character to the relative path would allow our library to get\r\nloaded.\r\nReproducing the exploit\r\nWhen putting it all together, in order to reproduce the exploit, we followed these steps:\r\nHost a custom library on a web server.\r\nCompute the MD5 hash of the URL.\r\nBuild the corresponding hyperlink.\r\nCreate a spreadsheet document, insert the hyperlink, and export it as an MHTML file.\r\nInsert an img tag inside the exported file to point to the URL.\r\nFigure 8 illustrates how to build the hyperlink.\r\nFigure 8. Building the hyperlink\r\nAfter opening the document, a single click on the hyperlink triggered the vulnerability and our custom library was\r\nloaded as shown in Figure 9 and, in more detail, in Figure 10.\r\nhttps://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/\r\nPage 6 of 13\n\nFigure 9. Our custom library gets written to disk and loaded\r\nFigure 10. Call stack detail of our library being loaded\r\nWhen loaded, our custom library writes the PID, the presence of admin privileges, and the file path of the hosting\r\nprocess to a log file. We reproduced the exploit for different versions of WPS Office for Windows as illustrated in\r\nFigure 11.\r\nFigure 11. Log file listing for vulnerable WPS Office versions\r\nSince this is a one-click vulnerability, the exploit developers embedded a picture of the spreadsheet’s rows and\r\ncolumns inside the spreadsheet in order to deceive and convince the user that the document is a regular\r\nspreadsheet. The malicious hyperlink was linked to the image so that clicking on a cell in the picture would trigger\r\nthe exploit, as reproduced in Figure 12.\r\nhttps://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/\r\nPage 7 of 13\n\nFigure 12. A deceptive spreadsheet embedding an image of regular rows and columns\r\nAnother interesting fact about this vulnerability is that it can also be triggered via a single click in the preview\r\npane in Windows Explorer, which makes it even more dangerous.\r\nAffected versions\r\nThe affected versions of WPS Office for Windows range from 12.2.0.13110, released around August 2023 until\r\nthe release of the patch in March 2024 with version 12.1.0.16412. The weaponized document was first uploaded\r\nto VirusTotal in February; some malicious components, given their PE timestamp, were built in February.\r\nCVE-2024-7263\r\nThis section provides an analysis of the patch for CVE-2024-7262 and the resulting discovery of another code\r\nexecution vulnerability via hijacking the control flow of the same WPS Office plugin component:\r\npromecefpluginhost.exe.\r\nRoot cause analysis\r\nDuring the process of figuring out which versions were affected by the first vulnerability, we analyzed the patch\r\nthat was silently introduced in version 12.1.0.16412 (released around March 2024) to mitigate CVE-2024-7262.\r\nEssentially, additional checks were put inside the promecefpluginhost.exe and ksojscore.dll components to verify\r\nthe attacker-controlled variable JSCefServicePath. However, a similar variable was not covered by the patch:\r\nCefPluginPathU8.\r\nThe first check happens when promecefpluginhost.exe iterates over its different command line arguments. If a\r\nparameter has the same name (case sensitive comparison) as one of the aforementioned variables, the parameter is\r\ndiscarded as shown in Figure 13.\r\nhttps://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/\r\nPage 8 of 13\n\nFigure 13. Code checking and discarding passed parameters\r\nAfter that, it retrieves the expected file path for JSCefServicePath where jscefservice.dll is supposed to be stored.\r\nThe real path should be %LOCALAPPDATA%\\Kingsoft\\WPS Office\\\u003cVERSION\u003e\\office6\\addons\\kcef\\, as seen\r\nin Figure 14. The same is done for CefPluginPathU8 for which the real path should point to\r\n%LOCALAPPDATA%\\Kingsoft\\WPS Office\\\u003cVERSION\u003e\\office6\\addons\\cef\\.\r\nFigure 14. Code retrieving the correct library to load\r\nA new command line is built with the accepted command line parameters, followed by the retrieved file paths\r\nidentified by the named variables. promecefpluginhost.exe then loads the library ksojscore.dll and its export\r\nCefRenderEntryPoint is called with the rebuilt command line. Both named variables are checked but this time the\r\ncomparison is case insensitive (see line 2 in Figure 15).\r\nFigure 15. The first case-insensitive occurrence of the variable is taken\r\nHere lies the first logic flaw. If at least one letter of the named variables is changed to its uppercase or lowercase\r\ncounterpart, the first (case-sensitive) check will not result in the attacker-specified parameter being rejected, and\r\nthe command line will look like the following (for example):\r\n-JSCEfServicePath=\u003cATTACKER_CONTROLLED\u003e \u003cOTHER_PARAMETERS\u003e -JSCefServicePath=\r\n\u003cREAL_PATH\u003e (notice the case change in the first variable name for the first letter E).\r\nWhen such a command line is passed to ksojscore.dll, it will only take the first occurrence of the variable and the\r\nattacker-controlled variable is always placed before the valid ones.\r\nhttps://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/\r\nPage 9 of 13\n\nHowever, before loading the library given by the JSCefServicePath file path, a second check was introduced. The\r\nfunction krt::ksafe::KProcess::verifyZhuHaiKingsoftCertSigner is called to check the certificate of the library and\r\nmake sure that it is a library belonging to Kingsoft, as shown in Figure 16. So, an attacker cannot load any\r\narbitrary library.\r\nFigure 16. Checking the signature of the library being loaded\r\nHowever, the CefPluginPathU8 variable is not checked correctly. Here lies the second flaw. After verifying the\r\nJSCefServicePath file path, the library jscefservice.dll is loaded and calls LoadLibraryExW with the file path\r\nprovided by CefPluginPathU8 concatenated with the string \\libcef.dll without checking its signature.\r\nIf at least one letter of the variable CefPluginPathU8 is changed, jscefservice.dll will try to load the libcef.dll\r\nlibrary stored under the attacker-controlled file path given by the variable, as observed in Figure 17.\r\nFigure 17. The library jscefservice.dll loads the library pointed to by the attacker-defined path\r\nwithout checking its signature\r\nExploiting the vulnerability\r\nThe main constraint of this vulnerability is the string libcef.dll that is appended to the file path. As of the writing\r\nof this blogpost, we haven't found a way to download a file and choose its filename. However, on a local network,\r\nhosting a library on a share and having the variable CefPluginPathU8 point to it works because LoadLibraryExW\r\nallows network paths to be specified. The screenshot shown in Figure 18 illustrates how the control flow of\r\npromecefpluginhost.exe (version 12.2.0.16909 released late April 2024) was hijacked using a network path.\r\nhttps://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/\r\nPage 10 of 13\n\nFigure 18. Procmon’s stack view showing the loading of our custom library\r\nAffected versions\r\nThe affected versions of WPS Office for Windows range from 12.2.0.13110, released around August 2023, until\r\nthe release of the patch at the end of May 2024 with version 12.2.0.17119.\r\nConclusion\r\nAs WPS Office is a software suite mostly distributed in Asia, APT-C-60 demonstrated just how much it is\r\ndetermined to compromise targets in East Asian countries. Whether the group developed or bought the exploit for\r\nCVE-2024-7262, it definitely required some research into the internals of the application but also knowledge of\r\nhow the Windows loading process behaves. The exploit is cunning as it is deceptive enough to trick any user into\r\nclicking on a legitimate-looking spreadsheet while also being very effective and reliable. The choice of the\r\nMHTML file format allowed the attackers to turn a code execution vulnerability into a remote one.\r\nAdditionally, our discovery of CVE-2024-7263 underlines the importance of a careful patch verification process\r\nand making sure the core issue has been addressed in full.\r\nWe strongly advise WPS Office for Windows users to update their software to the latest release.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise (IoCs) can be found in our GitHub repository.\r\nFiles\r\nhttps://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/\r\nPage 11 of 13\n\nSHA-1 Filename Detection Description\r\n7509B4C506C01627C1A4\r\nC396161D07277F044AC6\r\ninput.htm HTML/Agent.HQ\r\nMHTML-formatted\r\nWPS Spreadsheet\r\nexploit –\r\nCVE‑2024‑7262.\r\n08906644B0EF1EE6478C\r\n45A6E0DD28533A9EFC29\r\nWPS_TEST_DLL.dll\r\nWin32/TrojanDownloader.\r\nAgent.HRP\r\nDownloader\r\ncomponent.\r\nNetwork\r\nIP Domain\r\nHosting\r\nprovider\r\nFirst seen Details\r\n162.222.214[.]48\r\n131.153.206[.]231\r\nrammenale[.]com PhoenixNAP 2024-03-08\r\nC\u0026C server hosting next\r\nstages.\r\nMITRE ATT\u0026CK Techniques\r\nThis table was built using version 15 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.001 Domains\r\nAPT-C-60 acquired a domain name for its\r\nC\u0026C server.\r\nT1583.004 Server APT-C-60 acquired a server for its C\u0026C.\r\nT1608.001 Upload Malware\r\nAPT-C-60’s next stages were uploaded to\r\nits C\u0026C server.\r\nhttps://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/\r\nPage 12 of 13\n\nTactic ID Name Description\r\nT1587.004 Exploits\r\nAPT-C-60 developed or purchased an\r\nexploit for CVE-2024-7262.\r\nExecution\r\nT1203\r\nExploitation for Client\r\nExecution\r\nAPT-C-60 exploited CVE-2024-7262 to\r\nachieve execution.\r\nT1204.001 Malicious Link\r\nThe exploit used by APT-C-60 requires a\r\nclick on a hyperlink.\r\nSource: https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/\r\nhttps://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/"
	],
	"report_names": [
		"analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office"
	],
	"threat_actors": [
		{
			"id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805",
			"created_at": "2023-07-20T02:00:08.724751Z",
			"updated_at": "2026-04-10T02:00:03.341845Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "MISPGALAXY:APT-C-60",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854",
			"created_at": "2024-12-28T02:01:54.668462Z",
			"updated_at": "2026-04-10T02:00:04.564201Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "ETDA:APT-C-60",
			"tools": [
				"SpyGlace"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434289,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a2eb19d11e6716e3f967d84b5be45d202acbcbdb.pdf",
		"text": "https://archive.orkl.eu/a2eb19d11e6716e3f967d84b5be45d202acbcbdb.txt",
		"img": "https://archive.orkl.eu/a2eb19d11e6716e3f967d84b5be45d202acbcbdb.jpg"
	}
}