{
	"id": "f7cc263c-34c8-40d7-bf47-4a57066b3377",
	"created_at": "2026-04-06T00:22:25.697882Z",
	"updated_at": "2026-04-10T03:23:24.749037Z",
	"deleted_at": null,
	"sha1_hash": "b6138265089765a370a378ba014b6dcfafa206d1",
	"title": "nao-sec.org",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 18414415,
	"plain_text": "nao-sec.org\r\nBy nao_sec\r\nPublished: 2024-10-16 · Archived: 2026-04-05 16:46:22 UTC\r\nIcePeony with the '996' work culture\r\n2024-10-16\r\nThis blog post is based on “IcePeony with the ‘996’ work culture” that we presented at VB2024. We are grateful\r\nto Virus Bulletin for giving us the opportunity to present.\r\nhttps://www.virusbulletin.com/conference/vb2024/abstracts/icepeony-996-work-culture/\r\ntl;dr\r\nWe have discovered a previously unknown China-nexus APT group, which we have named “IcePeony”. Due to\r\noperational mistakes, they exposed their resources, allowing us to uncover details of their attacks.\r\nIcePeony is a China-nexus APT group that has been active since at least 2023. They have targeted\r\ngovernment agencies, academic institutions, and political organizations in countries such as India,\r\nMauritius, and Vietnam.\r\nTheir attacks typically start with SQL Injection, followed by compromise via webshells and backdoors.\r\nInterestingly, they use a custom IIS malware called “IceCache”.\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 1 of 19\n\nThrough extensive analysis, we strongly believe that IcePeony is a China-nexus APT group, operating\r\nunder harsh work conditions.\r\nIcePeony\r\nIcePeony is an unknown attack group. Our research shows that they have been active since at least 2023. They\r\nmainly target Asian countries, such as India and Vietnam. In the log files we analyzed, there were over 200\r\nattempts to attack various government websites in India.\r\nThey use SQL injection attacks on public web servers. If they find a vulnerability, they install a webshell or\r\nmalware. Ultimately, their goal is to steal credentials.\r\nWe believe IcePeony works for China’s national interests. It is possible that they prioritize China’s maritime\r\nstrategy.\r\nOur research found that IcePeony targeted government and academic institutions in India, political parties in\r\nVietnam, and government institutions in Mauritius. Recently, they may have also attacked Brazil. It is likely that\r\nthey will expand their targets in the future.\r\nOPSEC fail\r\nIn July, we identified a host that was publicly exposing various attack tools, including CobaltStrike and sqlmap,\r\nvia an open directory. What made this discovery even more compelling was the presence of a zsh_history file.\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 2 of 19\n\nOne of the most interesting findings was the zsh_history file. Similar to bash_history, the zsh_history file records\r\ncommand history. However, zsh_history also logs timestamps, allowing us to pinpoint the exact time each\r\ncommand was executed. This enabled us to construct a highly detailed timeline of the attack.\r\nUnlike a typical timeline created by an IR or SOC analyst, this one offers insight from the attacker’s perspective.\r\nWe could observe their trial-and-error process and how they executed the intrusion.\r\nThe zsh_history was not the only interesting file. There were many others.\r\nFor example, IcePeony had configured several helper commands in their alias file, including shortcuts to simplify\r\nlengthy commands and commands to quickly access help information.\r\nHere is an example with Mimikatz. By typing “hPass,” the attacker could display basic tutorials for Mimikatz.\r\nThis improved their effectiveness during attacks.\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 3 of 19\n\nIntrusion Timeline\r\nWe obtained two weeks’ worth of command history from the zsh_history. Let’s go through the events of each day.\r\nOn day-1, the attacker attempted SQL injections on several government websites. When the exploit succeeded,\r\nthey installed a webshell or IceCache, establishing a foothold for the attack. On day-2, they reviewed the domain\r\ninformation of compromised hosts and created accounts for further exploitation. On day three, which was a\r\nSunday, no actions were taken. On day-3, which was a Sunday, they did not perform any actions. It seems the\r\nattacker does not work on Sundays. On day-4, they used IceCache to configure proxy rules. We will explain this in\r\nmore detail later. On day-5, the attacker expanded their reach by attempting more SQL injections on other\r\ngovernment websites. On day-6, they used various tools, including IcePeony’s custom tool called StaX and a\r\nrootkit called Diamorphine. On day-7, they continued to attack other hosts using tools like URLFinder and\r\nsqlmap.\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 4 of 19\n\nOn day-8, they used IceCache to steal information from the compromised environment, especially focusing on\r\ndomain users. On day-9, they were quiet and only performed connection checks. On day-10, they did nothing\r\nsince it was a Sunday. On day-11, they used tools like craXcel and WmiExec. They used craXcel, an open-source\r\ntool, to unlock password-protected Microsoft Office files. On day-12, they used IceCache to add proxy rules and\r\nset persistence with scheduled tasks. On day-13 and day-14, they explored other hosts for further exploitation.\r\nOver the course of two weeks, the attacker utilized a variety of tools and commands to compromise government\r\nwebsites and exfiltrate information.\r\nIcePeony uses a wide range of tools, with a particular preference for open-source ones. Here, we will highlight\r\nonly the most distinctive tools they use.\r\nStaX\r\nStaX is a customized variant of the open-source tool Stowaway, a high-performance proxy tool. The attacker\r\nenhanced Stowaway with custom processing. Based on development strings, we called this version StaX.\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 5 of 19\n\nStaX included encryption for communication targets specified in active mode using Custom Base64 and AES.\r\nProxyChains\r\nProxyChains is an open-source proxy tool. The attacker used ProxyChains to run script files on victim hosts.\r\ninfo.sh is a script that collects system information from the compromised environment. It gathers environment\r\ninformation, user information, installed tool versions, network settings, SSH configuration files, and command\r\nhistory.\r\nlinux_back.sh is a script for backdoors and persistence. It downloads and runs a backdoor shell script from the\r\nserver and creates backdoor users.\r\nInterestingly, they installed a rootkit called Diamorphine, which is available on GitHub.\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 6 of 19\n\nMalware\r\nThe IcePeony server contained malware targeting IIS, which we named IceCache. They used IceCache to attack\r\nthe attack surface server. Additionally, during the investigation, we discovered another related malware, which we\r\ncalled IceEvent. Although no logs of using IceEvent were found. We believe it was used to compromise another\r\ncomputer that was not connected to the internet.\r\nIceCache\r\nIceCache is an ELF64 binary developed in Go language. It is customized based on the open-source software\r\nreGeorge.\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 7 of 19\n\nTo facilitate their intrusion operations, they added file transmission commands and command execution\r\nfunctionality.\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 8 of 19\n\nIceCache module is installed and run on IIS servers. The number of commands change, but they are classified into\r\ntwo types based on authentication tokens. We found files with remaining PDB information. These files were\r\ndeveloped by a user named “power” in a project called “cachsess”\r\nPDB Path\r\nC:\\Users\\power\\documents\\visual studio 2017\\Projects\\cachsess\\x64\\Release\\cachsess.pdb\r\nC:\\Users\\power\\Documents\\Visual Studio 2017\\Projects\\cachsess\\Release\\cachsess32.pdb\r\nThe number of commands changes over time, but it includes command execution functions, SOCKS proxy\r\nfunctions, and file transmission functions.\r\nTYPE-A Description\r\nEXEC / EXEC_PRO Command to the execution of a process\r\nSOCKS_HELLO Command to SOCKS protocol initial handshake message\r\nSOCKS_CONNECT Command to indicate a connection request with the SOCKS protocol\r\nSOCKS_DISCONNECT Command to indicate disconnection with SOCKS protocol\r\nSOCKS_READ Command to reading of data in SOCKS protocol\r\nSOCKS_FORWARD Command to instruct data transfer via SOCKS protocol\r\nPROXY_ADD Command to add a proxy\r\nPROXY_LIST Command to list a proxy\r\nPROXY_DEL Command to del a proxy\r\nPROXY_CLEAR Command to clear all proxy settings\r\nPROXY_SET_JS Set the JavaScript\r\nPROXY_GET_JS Get set the JavaScript\r\nPROXY_ALLOW_PC Allowed PC settings\r\nPROXY_CACHE_CLEAR Command to clear the proxy cache\r\nPROXY_CACHE_TIME Command to set proxy cache time\r\nFILE_UPLOAD Upload Files\r\nFILE_DOWNLOAD Download Files\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 9 of 19\n\nTYPE-B Description\r\nEXEC / EXEC_PRO Command that directs the execution of a process\r\nSOCKS_HELLO SOCKS protocol initial handshake message\r\nSOCKS_CONNECT\r\nCommand to indicate a connection request with the SOCKS\r\nprotocol\r\nSOCKS_DISCONNECT Command to indicate disconnection with SOCKS protocol\r\nSOCKS_READ Command that directs reading of data in SOCKS protocol\r\nSOCKS_FORWARD Command to instruct data transfer via SOCKS protocol\r\nPROXY_ADD Command to add a proxy\r\nPROXY_LIST Command to list a proxy\r\nPROXY_DEL Command to del a proxy\r\nPROXY_CLEAR Command to clear all proxy settings\r\nFILE_UPLOAD / FILE_UPLOAD_PRO Upload Files\r\nFILE_DOWNLOAD /\r\nFILE_DOWNLOAD_PRO\r\nDownload Files\r\nIIS_VERSION Show IIS version\r\nThese are the IceCache modules found so far. The first sample we are aware of was compiled in August 2023 and\r\nsubmitted to VirusTotal in October. Since there is no discrepancy between the compille time and the first\r\nsubmission, we believe the dates are reliable.\r\nMany new samples have also been found since 2024. Most of the submitters are from India, which matches the\r\nvictim information we have gathered from OpenDir data.\r\nThe number of commands has change over time. It is show that the malware’s developers have made\r\nimprovements while continuing their intrusion operations.\r\nsha256[:8]\r\nCompile\r\nTime\r\nFirst\r\nSubmission\r\nSubmitter\r\nCmd\r\nNum\r\nX-Token TYPE\r\n5b16d153\r\n2024-07-17\r\n09:11:14\r\n2024-08-03\r\n04:58:20\r\nc8d0b2b9\r\n(ID)\r\n20 tn7rM2851XVvOFbc B\r\n484e2740\r\n2024-06-21\r\n03:05:15\r\n2024-08-07\r\n09:25:53\r\n39d4d6d2 -\r\nemail\r\n20 tn7rM2851XVvOFbc B\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 10 of 19\n\nsha256[:8]\r\nCompile\r\nTime\r\nFirst\r\nSubmission\r\nSubmitter\r\nCmd\r\nNum\r\nX-Token TYPE\r\n11e90e24\r\n2024-06-05\r\n03:52:48\r\n2024-06-18\r\n12:21:50\r\nd9cb313c\r\n(ID)\r\n20 tn7rM2851XVvOFbc B\r\nb8d030ed\r\n2024-06-05\r\n03:52:41\r\n2024-06-18\r\n10:47:18\r\n408f1927\r\n(ID)\r\n20 tn7rM2851XVvOFbc B\r\nceb47274\r\n2024-04-25\r\n09:53:26\r\n2024-08-02\r\n21:50:50\r\n06ac9f47\r\n(BR)\r\n20 tn7rM2851XVvOFbc B\r\nd1955169\r\n2024-04-21\r\n11:29:25\r\n2024-06-18\r\n12:24:39\r\nd9cb313c\r\n(ID)\r\n18 tn7rM2851XVvOFbc B\r\nde8f58f0\r\n2024-04-21\r\n11:29:10\r\n2024-06-18\r\n10:49:53\r\n408f1927\r\n(ID)\r\n18 tn7rM2851XVvOFbc B\r\n53558af\r\n2024-03-27\r\n05:08:50\r\n2024-04-19\r\n07:57:19\r\nc2440bbf\r\n(ID)\r\n18 tn7rM2851XVvOFbc B\r\n0b8b10a2\r\n2024-03-27\r\n05:08:57\r\n2024-04-18\r\n13:54:16\r\nc2440bbf\r\n(ID)\r\n18 tn7rM2851XVvOFbc B\r\na66627cc\r\n2024-02-20\r\n09:36:12\r\n2024-03-12\r\n15:17:55\r\na6412166\r\n(VN)\r\n16 cbFOvVX1582Mr7nt A\r\ne5f520d9\r\n2024-02-01\r\n09:32:21\r\n2024-07-17\r\n09:30:54\r\n24761b38\r\n(SG)\r\n24 cbFOvVX1582Mr7nt A\r\n3eb56218\r\n2023-12-07\r\n03:04:16\r\n2024-02-20\r\n13:54:02\r\n0f09a1ae\r\n(ID)\r\n24 cbFOvVX1582Mr7nt A\r\n5fd5e99f\r\n2023-09-27\r\n00:50:46\r\n2024-03-24\r\n08:59:02\r\nCa43fb0f\r\n(ID)\r\n24 cbFOvVX1582Mr7nt A\r\n0eb60e4c\r\n2023-08-23\r\n09:11:24\r\n2023-10-18\r\n10:11:00\r\n0e8f2a34\r\n(VN)\r\n18 cbFOvVX1582Mr7nt A\r\nIceEvent\r\nIceEvent is a simple passive-mode backdoor that installed as a service.\r\nPDB Path\r\nC:\\Users\\power\\Documents\\Visual Studio 2017\\Projects\\WinService\\x64\\Release\\WinService.pdb\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 11 of 19\n\nTwo types have been identified based on the command format. Both types only have the minimum necessary\r\ncommands. The older type was discovered in September 2023, and several new types were found in April of this\r\nyear. All of these were submitted from India.\r\nTYPE-A Description\r\nFILE: Command to Reading files via sockets\r\nCMD: Command to the execution of a process\r\nTYPE-B Description\r\nUPFILE Upload Files\r\nDOWNFILE Download Files\r\nCMD Command to the execution of a process\r\nsha256[:8] Compile Time First Submission Submitter Cmd Num TYPE\r\n80e83118 2024-04-25 09:50:58 2024-07-25 05:43:08 INDIA (99003aca) 3 B\r\n9aba997b 2024-04-30 04:48:48 2024-06-14 05:46:49 INDIA (060734bd) 3 B\r\n9a0b0439 2024-04-25 09:50:58 2024-06-14 05:00:08 INDIA (060734bd) 3 B\r\nbc94da1a 2023-08-23 08:52:46 2023-09-05 03:03:57 INDIA (81f8b666) 2 A\r\nSimilarities\r\nWe believe that IceEvent was developed because a simple passive backdoor was needed during intrusions, based\r\non code similarities with IceCache. Both IceCache and IceEvent use the same key for XOR to encode\r\ncommunication data. And PDB information shows that the same developer created both malware.\r\nThis is the XOR-based data encoding process used for communication data, which is equal to both malware.\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 12 of 19\n\nThis is the command execution process equal to both malware. Since the function calls and branching processes\r\nare exactly the same, we believe they were compiled from the same source code. Other commands also match\r\nperfectly.\r\nThe communication data of IceCache and IceEvent is only encoded using the XOR process mentioned earlier,\r\nmaking it easy to decode. Here is an example of decoding the data during command execution.\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 13 of 19\n\nAttribution\r\nWe investigated the attacker’s activity times based on the timestamp information in the zsh_history file. As a\r\nresult, we found that the attacker is likely operating in the UTC+8 time zone. Surprisingly, the attacker works\r\nfrom 8 a.m. to 10 p.m., which is a 14-hour workday. They are remarkably diligent workers.\r\nSimilarly, we investigated the changes in activity based on the day of the week. It seems that the attackers work\r\nsix days a week. While they are less active on Fridays and Saturdays, their only full day off appears to be Sunday.\r\nThis investigation suggests that the attackers are not conducting these attacks as personal activities, but are instead\r\nengaging in them as part of organized, professional operations.\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 14 of 19\n\nBy the way, have you heard of the term “996 working hour system”? This term originated in China’s IT industry.\r\nIn China’s IT industry, long working hours see as a problem. It refers to working from 9 a.m. to 9 p.m.,six days a\r\nweek. Such hard work conditions are called the “996 working hour system”. IcePeony might be working under the\r\n996 working hour system.\r\nhttps://en.wikipedia.org/wiki/996_working_hour_system\r\nNext, There is a very simple example to consider when discussing attribution. IcePeony sometimes includes\r\nSimplified Chinese comments in the tools they use. Here, we provide an example of a wrapper script for the\r\nIceCache Client. From this, we can conclude that IcePeony is a threat actor from a region where Simplified\r\nChinese is commonly used.\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 15 of 19\n\nIcePeony uses an original malware called IceCache. As previously mentioned, IceCache is based on reGeorge.\r\nMore specifically, IceCache contains a string referring to a project named reGeorgGo.\r\nUpon investigating reGeorgGo, We found that it was developed by a Chinese security engineer. There is no other\r\ninformation about this project on the internet, aside from the developer’s blog. It was a not well-known tool.\r\nHowever, the publicly available reGeorgGo is a tool with only three arguments, where as IceCache has more\r\ncommands added to it.\r\nhttps://github.com/zz1gg/secdemo/tree/main/proxy/reGeorgGo\r\nLet’s examine attribution from another side. In this attack campaign, IcePeony targeted India, Mauritius, and\r\nVietnam. While attacks on India and Vietnam are generally not uncommon. What about Mauritius?\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 16 of 19\n\nMauritius is a small country located in the Indian Ocean. Interestingly, Mauritius has recently formed a\r\ncooperation with India. They are wary of China’s expansion into the Indian Ocean and have begun various forms\r\nof collaboration to counter this influence.\r\nhttps://www.mea.gov.in/newsdetail1.htm?12042/\r\nWe summarize the attribution information using the Diamond Model.\r\nIcePeony consists of Simplified Chinese speakers who show interest in the governments of Indian Ocean countries\r\nand work under the 996 working hour system.\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 17 of 19\n\nThey prefer open-source software developed in Chinese-speaking regions and use their original malware,\r\nIceCache and IceEvent. In attacks on the Indian government, they used VPSs located in the Indian region.\r\nAdditionally, the governments and education sectors in Mauritius and Vietnam were also targeted.\r\nWrap-Up\r\nIn this blog post, we introduced IcePeony. IcePeony is a newly emerging attack group. Our investigation shows\r\nthat they have been active since at least 2023. Their primary targets are countries in Asia, such as India and\r\nVietnam.\r\nThe log files we analyzed recorded attempts to attack over 200 different Indian government websites. IcePeony\r\ntypically attempts SQL Injection attacks on publicly accessible web servers. If vulnerabilities are found, they\r\ninstall web shells or execute malware. Ultimately, they aim to steal credentials.\r\nWe suspect that IcePeony operates as a group of individuals conducting cyberattacks in support of China’s\r\nnational interests, possibly in connection with China’s maritime strategy. They remain active, and we must\r\ncontinue monitoring their activities closely moving forward.\r\nIoCs\r\nIP\r\n165[.]22.211.62\r\n64[.]227.133.248\r\n173[.]208.156.19\r\n173[.]208.156.144\r\n154[.]213.17.225\r\n103[.]150.186.219\r\n63[.]141.255.16\r\n204[.]12.205.10\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 18 of 19\n\n107[.]148.37.63\r\n103[.]99.60.119\r\n154[.]213.17.237\r\n45[.]195.205.88\r\n154[.]213.17.244\r\n103[.]99.60.93\r\n149[.]115.231.17\r\n149[.]115.231.39\r\n103[.]99.60.108\r\nDomain\r\nd45qomwkl[.]online\r\nk9ccin[.]com\r\nk8ccyn[.]com\r\n88k8cc[.]com\r\ngooglesvn[.]com\r\nIceCache\r\n484e274077ab6f9354bf71164a8edee4dc4672fcfbf05355958785824fe0468f\r\n5b16d1533754c9e625340c4fc2c1f76b11f37eb801166ccfb96d2aa02875a811\r\nceb47274f4b6293df8904c917f423c2f07f1f31416b79f3b42b6d64e65dcfe1b\r\ne5f520d95cbad6ac38eb6badbe0ad225f133e0e410af4e6df5a36b06813e451b\r\nd1955169cd8195ecedfb85a3234e4e6b191f596e493904ebca5f44e176f3f950\r\n11e90e2458a97957064a3d3f508fa6dadae19f632b45ff9523b7def50ebacb63\r\nde8f58f008ddaa60b5cf1b729ca03f276d2267e0a80b584f2f0723e0fac9f76c\r\nb8d030ed55bfb6bc4fdc9fe34349ef502561519a79166344194052f165d69681\r\n535586af127e85c5561199a9a1a3254d554a6cb97200ee139c5ce23e68a932bd\r\n0b8b10a2ff68cb2aa3451eedac4a8af4bd147ef9ddc6eb84fc5b01a65fca68fd\r\n5fd5e99fc503831b71f4072a335f662d1188d7bc8ca2340706344fb974c7fe46\r\n3eb56218a80582a79f8f4959b8360ada1b5e471d723812423e9d68354b6e008c\r\na66627cc13f827064b7fcea643ab31b34a7cea444d85acc4e146d9f2b2851cf6\r\n0eb60e4c5dc7b06b719e9dbd880eb5b7514272dc0d11e4760354f8bb44841f77\r\nIceEvent\r\n80e831180237b819e14c36e4af70304bc66744d26726310e3c0dd95f1740ee58\r\n9a0b0439e6fd2403f764acf0527f2365a4b9a98e9643cd5d03ccccf3825a732e\r\n9aba997bbf2f38f68ad8cc3474ef68eedd0b99e8f7ce39045f1d770e2af24fea\r\nbc94da1a066cbb9bdee7a03145609d0f9202b426a52aca19cc8d145b4175603b\r\nSource: https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nhttps://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html"
	],
	"report_names": [
		"IcePeony-with-the-996-work-culture.html"
	],
	"threat_actors": [
		{
			"id": "1aec4044-b06e-4821-8270-11660ba3156b",
			"created_at": "2024-11-03T02:00:03.647946Z",
			"updated_at": "2026-04-10T02:00:03.738402Z",
			"deleted_at": null,
			"main_name": "IcePeony",
			"aliases": [],
			"source_name": "MISPGALAXY:IcePeony",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434945,
	"ts_updated_at": 1775791404,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b6138265089765a370a378ba014b6dcfafa206d1.pdf",
		"text": "https://archive.orkl.eu/b6138265089765a370a378ba014b6dcfafa206d1.txt",
		"img": "https://archive.orkl.eu/b6138265089765a370a378ba014b6dcfafa206d1.jpg"
	}
}