{ "id": "41b7c86f-df54-4f6f-b392-6fd713fdb0b7", "created_at": "2026-04-06T00:18:40.540651Z", "updated_at": "2026-04-10T13:12:25.291162Z", "deleted_at": null, "sha1_hash": "bb44cae428068d8ca39adc1d038a34d16df991f6", "title": "Lazarus Campaign Uses Remote Tools, RATANKBA, and More", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 98650, "plain_text": "Lazarus Campaign Uses Remote Tools, RATANKBA, and More\r\nPublished: 2018-01-24 · Archived: 2026-04-05 13:08:27 UTC\r\nUpdated the detection names on January 25, 2018, 9:47 PM PDT \r\nFew cybercrime groups have gained as much notoriety—both for their actions and for their mystique—as the\r\nLazarus group. Since they first emerged back in 2007 with a series of cyberespionage attacks against the South\r\nKorean government, these threat actors have successfully managed to pull off some of the most notable and\r\ndevastating targeted attacks—such as the widely-reported 2014 Sony hacknews article and the 2016 attack on a\r\nBangladeshi bank—in recent history. Throughout the Lazarus group's operational historynews- cybercrime-and-digital-threats, few threat actors have managed to match the group in terms of both scale and impact, due in large\r\npart to the wide variety of tools and tactics at the group’s disposal.\r\nThe malware known as RATANKBA is just one of the weapons in Lazarus’ arsenal. This malicious software,\r\nwhich could have been active since late 2016, was used in a recent campaign targeting financial\r\ninstitutions using watering hole attacks. The variant used during these attacks (TROJ_RATANKBA.A) delivered\r\nmultiple payloads that include hacking tools and software targeting banking systems. We analyzed a new\r\nRATANKBA variant (BKDR_RATANKBA.ZAEL-A), discovered in June 2017, that uses a PowerShell script\r\ninstead of its more traditional PE executable form—a version that other researchers also recently identified.\r\nWe identified a number of servers Lazarus used as a backend system for temporarily holding stolen data. We were\r\nable to access this backend, which provided us with valuable information about this attack and its victims.\r\nAround 55% of the victims of RATANKBA’s Powershell version were located in India and neighboring countries.\r\nThis implies that the Lazarus group could be is either collecting intelligence about targets in this region, or is at an\r\nearly stage of planning. They could have also been performing exercises in preparation for an attack against\r\nsimilar targets.\r\nThe majority of the observed victims were not using enterprise versions of Microsoft software. Less than 5% of\r\nthe victims were Microsoft Windows Enterprise users, which means that currently, RATANKBA mostly affects\r\nsmaller organizations or individual users, not larger organizations. It's possible that Lazarus is using tools other\r\nthan RATANKBA to target larger organizations.\r\nLazarus’ backend logs also record victim IP addresses. Based on a reverse WHOIS lookup, none of the victims\r\ncan be associated with a large bank or a financial institution. However, we did manage to identify victims that are\r\nlikely employees of three web software development companies in India and one in South Korea.\r\nInfection Flow\r\nintel\r\nFigure 1. RATANKBA Infection Flow\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/\r\nPage 1 of 6\n\nRATANKBA is delivered to its victims using a variety of lure documents, including Microsoft Office documents,\r\nmalicious CHM files, and different script downloaders. These documents contain topics discussing either software\r\ndevelopment or digital currencies. The growth of cryptocurrencies may be a driving force behind the use of\r\ncryptocurrency-related lures.\r\nAn example of a lure used in a RATANKBA attack can be seen below:\r\nintel\r\nFigure 2. Malicious CHM file used as RATANKBA lure\r\nOnce the lure’s recipient opens and executes the file, a backdoor will be dropped into the victim’s system. This\r\nRATANKBA backdoor is what is used to communicate with RATANKBA’s Command-and-Control (C\u0026C) server.\r\nWe have observed two initial conversations with the C\u0026C server (all are done via HTTP GET or POST to the\r\nserver):\r\nHTTP POST to {script}.jsp?action=BaseInfo\u0026u=XXX: Sends the victim information to the backend server\r\nHTTP GET to {script}.jsp?action=What\u0026u=XXX: Checks if there are any pending jobs for the backdoor\r\n \r\nThis means that the backdoor is responsible for both uploading victim information, as well as executing any tasks\r\nthat the controller has assigned to it, which includes the following:\r\nKillkill: Stops the backdoor’s activities\r\ninterval: Changes the interval in which the backdoor retrieves jobs; the default interval is set at 120 seconds\r\ncmd: Executes shell commands\r\nexe:Reflectively injects a DLL downloaded from a specific URL\r\n \r\nIn addition to the backdoor’s modus operandi, the attackers will use a Microsoft WMI command-line tool to list\r\nthe compromised system’s running processes, which are sent to the C\u0026C server:\r\n“C:\\Windows\\system32\\cmd.exe” /c “wmic process get processid,commandline,sessionid | findstr\r\nSysWOW”\r\n“C:\\Windows\\system32\\cmd.exe” /c “wmic process get processid,commandline,sessionid | findstr x86”\r\n \r\nTechnical Analysis\r\nDuring our analysis, we collected a copy of the RATANKBA malware’s Lazarus Remote Controller tool. The\r\nremote controller provides a user interface that allows attackers to send jobs to any compromised endpoint. The\r\ncontroller gives the attackers the ability to manipulate the victims’ host by queueing tasks on the main server.\r\nRATANKBA retrieves and executes the tasks, and retrieves the collected information.\r\nintel\r\nFigure 3. RATANKBA communication diagram\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/\r\nPage 2 of 6\n\nThe RATANKBA malware has a control model that does not use real-time communication between the backdoor\r\nand the attacker. Instead, both the remote controller and the backdoor connect to its main communication control\r\nserver to push or pull pieces of information. The controller uses a graphical UI interface and can be used to push\r\ncode to the server, while the backdoor regularly connects to the server to check for pending tasks. The controller\r\ndownloads the victim profiles from the server. If the profiles are already downloaded by the controller, they are\r\ndeleted from the server side. The controller can post victim-specific tasks as well as global specific tasks to the\r\nserver. Below are the various functionalities of RATANKBA’s controller:\r\nCommand Name Function\r\nget_time Retrieves the server time\r\ndelete_inf Deletes the downloaded victim profiles\r\ndelete_con Deletes the connection log files if they were already downloaded\r\nKill: Posts a job to kill the backdoor\r\ninject Posts a job for DLL injection\r\nInterval Changes the sleep interval\r\nCmd Posts a job for command shell execution\r\ndelete_cmd Retrieves the job results and deletes the posted job\r\nbroadcast_cmd: Posts a job for all the backdoors connecting to the server\r\nintel\r\nFigure 4. RATANKBA main console interface\r\nintel\r\nFigure 5. RATANKBA host manipulation console\r\nRATANKBA’s controllers use the “Nimo Software HTTP Retriever 1.0” user-agent string for its communication.\r\nThe communication protocol format for the controller and backdoor is as follows:\r\n· \u003cdomain\u003e/\u003cjsp filename\u003e.jsp?action=\u003ccorresponding actions plus additional needed parameters\u003e`\r\n \r\nOne of most notable changes on the new RATANKBA variant is that the new version was written in Powershell,\r\nwhereas the original variant was in PE form. The shift from PE to Powershell makes it more difficult for antivirus\r\nsolutions to detect. The screenshot below shows the conversion from C/C++ code to Powershell, while the\r\nprotocol remained unchanged.  \r\nintel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/\r\nPage 3 of 6\n\nFigure 6. C/C++ version of RATANKBA\r\nintel\r\nFigure 7. Powershell version of RATANKBA\r\nProfile of the Attackers\r\nWhile we do not have any knowledge of who the actual Lazarus attackers are, the data collected from the backend\r\nsystems gives us some insights into the internet usage patterns of systems likely owned by Lazarus group\r\nmembers. Clues regarding the profiles of the attackers was also found, including those connected to developers\r\nand at least one operator. All of them appear to be native Korean speakers, or at least have Korean language\r\nproficiency that is at the near-native level.  We believe at least one of them also understands Chinese.\r\nWe also observed clues that the attackers are interested in cryptocurrencies such as Bitcoin (BTC) and Ant Share\r\n(NEO). One of them transferred shares of NEO at a good market price.\r\nintel\r\nFigure 8. Empty cryptocurrency wallet of the attacker\r\nintel\r\nFigure 9. An attacker transfers 594 NEO to another wallet, with the money going to a mixer\r\nintel\r\nFigure 10. An attacker mining Ant Share\r\nDefending against RATANKBA\r\nGiven Lazarus’ use of a wide array of tools and techniques in their operations, it’s reasonable to assume that the\r\ngroup will continue to use ever-evolving tactics in their malicious activities. Overall, an organization will need\r\nmultilayered security strategies, as Lazarus and other similar groups are experienced cybercriminals who employ\r\ndifferent strategies to get past organizational defenses.\r\nThe impact of this malware can be mitigated with proven mitigation techniques such as routinely scanning the\r\nnetwork for any malicious activity to help prevent the malware from entering and spreading through an\r\norganization. In addition, educating employees and other key people in an organization on social engineering\r\ntechniquesnews- cybercrime-and-digital-threats can allow them to identify what to look out for when it comes to\r\nmalicious attacks.\r\nOther mitigation strategies include a multilayered approach to securing the organization’s perimeter, which\r\nincludes hardening the endpoints and employing application controlproducts to help prevent malicious\r\napplications and processes from being executed.\r\nTrend Micro™ Deep Security™products provides virtual patching that protects endpoints from threats such as\r\nmalicious redirections to malware-hosting URLs as well as those that exploit unpatched vulnerabilities. Trend\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/\r\nPage 4 of 6\n\nMicro™ Deep Discovery™products provides detection, in-depth analysis, and proactive response to attacks using\r\nexploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across\r\nthe entire attack lifecycle, allowing it to detect these attacks even without any engine or pattern update.\r\nA detailed timeline of the Lazarus group's operations can be seen herenews- cybercrime-and-digital-threats.\r\nIndicators of Compromise (IoCs):\r\nHashes detected as BKDR_RATANKBA.ZAEL-A\r\n1768f2e9cea5f8c97007c6f822531c1c9043c151187c54ebfb289980ff63d666\r\n6cac0be2120be7b3592fe4e1f7c86f4abc7b168d058e07dc8975bf1eafd7cb25\r\nd844777dcafcde8622b9472b6cd442c50c3747579868a53a505ef2f5a4f0e26a\r\ndb8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471\r\n f7f2dd674532056c0d67ef1fb7c8ae8dd0484768604b551ee9b6c4405008fe6b\r\n \r\n \r\nHashes detected as CHM_DLOADER.ZCEL-A\r\n01b047e0f3b49f8ab6ebf6795bc72ba7f63d7acbc68f65f1f8f66e34de827e49\r\n030b4525558f2c411f972d91b144870b388380b59372e1798926cc2958242863\r\n10cbb5d0974af08b5d4aa9c753e274a81348da9f8bfcaa5193fad08b79650cda\r\n650d7b814922b58b6580041cb0aa9d27dae7e94e6d899bbb3b4aa5f1047fca0f\r\n6cb1e9850dd853880bbaf68ea23243bac9c430df576fa1e679d7f26d56785984\r\n6d4415a2cbedc960c7c7055626c61842b3a3ca4718e2ac0e3d2ac0c7ef41b84d\r\n772b9b873100375c9696d87724f8efa2c8c1484853d40b52c6dc6f7759f5db01\r\n9d10911a7bbf26f58b5e39342540761885422b878617f864bfdb16195b7cd0f5\r\nd5f9a81df5061c69be9c0ed55fba7d796e1a8ebab7c609ae437c574bd7b30b48\r\n \r\nHashes detected as JS_DLOADER.ZBEL-A\r\n8ff100ca86cb62117f1290e71d5f9c0519661d6c955d9fcfb71f0bbdf75b51b3\r\n \r\nHashes detected as X97M_DLOADR.ZBEL-A\r\n972b598d709b66b35900dc21c5225e5f0d474f241fefa890b381089afd7d44ee\r\n \r\nHashes detected as VBS_DLOADR.ZAEL-A\r\n4722138dda262a2dca5cbf9acd40f150759c006f56b7637769282dba54de0cab\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/\r\nPage 5 of 6\n\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool\r\n-evolved-ratankba/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" ], "report_names": [ "lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434720, "ts_updated_at": 1775826745, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb44cae428068d8ca39adc1d038a34d16df991f6.pdf", "text": "https://archive.orkl.eu/bb44cae428068d8ca39adc1d038a34d16df991f6.txt", "img": "https://archive.orkl.eu/bb44cae428068d8ca39adc1d038a34d16df991f6.jpg" } }