{ "id": "595b4b21-1adc-48ff-81a9-bb2d2a1bcd64", "created_at": "2026-04-06T00:20:00.448932Z", "updated_at": "2026-04-10T03:38:06.616862Z", "deleted_at": null, "sha1_hash": "c6281b1cf2f890db15e093b1bca27e9a5eb990b4", "title": "Who is the Threat Actor Behind Operation Earth Kitsune?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4312242, "plain_text": "Who is the Threat Actor Behind Operation Earth Kitsune?\r\nBy By: William Gamazo Sanchez Dec 15, 2020 Read time: 10 min (2715 words)\r\nPublished: 2020-12-15 · Archived: 2026-04-05 16:58:41 UTC\r\nRecently, we uncovered the Operation Earth Kitsune campaign and published a detailed analysis of its tactics,\r\ntechniques, and procedures (TTPs). While analyzing the technical details of this malware, which includes two new\r\nespionage backdoors, we noticed striking similarities to other malware attributed to the threat actor known as\r\nAPT37, also known as Reaper or Group 123.\r\nDetermining who is behind a malware campaign can be a challenging endeavor. Threat actors generally don’t\r\nleave easily identifiable signatures in software designed to disrupt or otherwise harm an adversary. However, by\r\ncomparing key pieces of information with known sources, it is possible to determine when a campaign was likely\r\nperpetrated by a certain group. This is even more true when the group has existed for many years and has many\r\npieces of evidence to compare. Recently, we uncovered the Operation Earth Kitsunenews article campaign and\r\npublished a detailed analysis of its tactics, techniques, and procedures (TTPs). While analyzing the technical\r\ndetails of this malware, which includes two new espionage backdoors, we noticed striking similarities to other\r\nmalware attributed to the threat actor known as APT37open on a new tab, also known as Reaper or Group 123. We\r\nhope our thorough analysis of Operation Earth Kitsune will help others with data points for attribution in the\r\nfuture.\r\nBy some accounts, this group has been active since 2012, so there are many examples attributed to them to\r\ncompare. It is important to note that previous analysis of suspected APT37open on a new tab activities from\r\ndifferent security vendors date from 2016, and the captured samples for the Operation Earth Kitsune have been\r\ndeveloped recently. Because of this, finding code similarity is unlikely. However, we were able to match some\r\ncode reuse in one of the espionage backdoor’s functionalities. In that sense, we are emphasizing TTPs correlation\r\nin this case. In other words, even when the new samples are developed, the attacker may have reused many of the\r\noperational techniques.\r\nAnother important consideration for attribution is that we have some historical background for Operation Earth\r\nKitsune. Previously, we uncovered two different campaigns in 2019 under the name of SLUB malware. Operation\r\nEarth Kitsune is a continuation of those campaigns. Consequently, some of the attribution indicators will span and\r\ninclude the previous SLUB malware campaigns.\r\nThe following sections describe the different correlations and are divided into two main categories:\r\nCorrelation related to the malware author developing environment\r\nCorrelation associated with TTPs\r\nNote that some leads are stronger than others; however, when combined, they suggest that the same threat actor\r\nbehind malware previously attributed to APT37 is likely responsible for Operation Earth Kitsune.\r\nhttps://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html\r\nPage 1 of 13\n\nMalware author’s developer environment\r\nWhen determining attribution, the most interesting leads are the ones that can deduce information about the\r\nmalware author’s working environment. Sometimes, these leads can determine the preferred languages used in the\r\ndevelopers’ environment. There are also times when developers intentionally remove these associations and plant\r\nmisleading information to avoid attribution. That action by itself potentially introduces other leads that developers\r\nmay forget to clean.\r\nOperating system language version\r\nDuring the analysis of the samples captured from the previous campaign related to SLUB in 2019, one of the\r\nsamples, the SLUB loader exploiting CVE-2019-0803, contained a version resource section that included\r\nintentionally misleading planted data. Figure 1 shows this:\r\nhttps://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html\r\nPage 2 of 13\n\nFigure 1 Planted version information\r\nThis kind of misleading version data is quite common and does not have information relevant to attribution.\r\nHowever, there is a secondary effect when the version resource is added to a binary. For this, we are assuming this\r\nbinary was compiled with a Visual Studio toolchain, which is indicated for various compiler identification tools.\r\nhttps://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html\r\nPage 3 of 13\n\nWhen the version resource is compiled into the binary, a language ID is generated and created not in the resource\r\npayload but in the internal structure of the resource information that is not visible with Windows Explorer. What is\r\ninteresting is that this language ID is not determined by the Visual Studio current language. Instead, it is\r\ndetermined by the operating system language at the time of the version resource inclusion. Viewing this language\r\nID requires the use of other tools. Figure 2 shows the language ID for the SLUB dropper.\r\nFigure 2. Language ID of the Version Resource\r\nWe found this type of OS language leak in prior samples attributed to APT37. One of the previous malware\r\nfamilies attributed to APT37 is known as Freenkiopen on a new tab. Some Freenki samples had leaked the OS\r\nlanguage ID through this same mechanism. The image (Figure 3) taken from an analysis of Freenki shows that the\r\nsame logic applies when the resource is compiled into the binary.\r\nFigure 3. Freenki embedded resource\r\nWe assume there are multiple developers within APT37, and not all of them follow the same practices. As such,\r\nnot all samples may have the embedded resource that leaks the same OS language. However, this commonality is\r\njust the first of many that lead us to believe the team attributed to the Freenki malware is the same team behind\r\nOperation Earth Kitsune.2\r\nLeaked assert path and external blog references\r\nSometimes, the malware authors know that releasing symbol information is dangerous from an attribution point of\r\nview since it can reveal information about the working environment. That information often gets stripped from\r\nbinaries. However, that is not the only scenario where malware developers leak path information about their\r\nenvironment. In some instances, malware projects require external libraries, and some libraries used the “assert()”\r\nmechanism to help the developers debug unexpected conditions. In these cases, the compiler includes a path to the\r\nsource code file along with those “assert()” calls. These paths leak information about the third-party libraries’\r\ninstalled paths. In our case, the samples from the Operation Earth Kitsune implemented the Mattermost command\r\nand control (C2) communication and leaked a local path. Figure 4 shows the leaked path. \r\nhttps://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html\r\nPage 4 of 13\n\nFigure 4. Leaked assert() path\r\nPublic references to this path (the path to the c++ boostopen on a new tab library) consist of Korean language\r\nblogs explaining how to set up a developer environment configuration using the same path. We can also determine\r\nthat this configuration was created manually because the default path installation does not support static\r\ncompilation. Here is a translation of the relevant section:\r\n“Well, in the end, I modified the project configuration file as below, but it doesn't seem like best practice. There\r\nseems to be a neat way to do it, but I seek advice from experienced people.”\r\nIt is also important to note that the same paths leaked through all the SLUB samples. This includes samples from\r\nthe older SLUB campaign in 2019 and the new version that supports Mattermost.\r\nhttps://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html\r\nPage 5 of 13\n\nhttps://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html\r\nPage 6 of 13\n\nFigure 5. Public blog in the Korean Language\r\nThese two indicators reveal that the malware author used an “assert()” path and referenced an external blog in the\r\nsame manner as previously analyzed malware.\r\nTTPs Correlation\r\nIn our previous detailed analysis of Operation Earth Kitsune, one of the delivery architecture for the espionage\r\nbackdoors is designed as shown in Figure 6.\r\nFigure 6. Delivery architecture\r\nWhile this mechanism may sound quite common in other campaigns, what is interesting is the details they have in\r\ncommon with previous campaigns attributed to APT37. In 2017, Palo Alto’s Unit 42 detailed their findings around\r\nthe Freenki malwareopen on a new tab. Even though this analysis was three years before Operation Earth Kitsune,\r\nthe attackers appear to have reused the same TTPs for delivering the malware.\r\nFigure 7 shows delivery PowerShell script sections for both campaigns.\r\nFigure 7. PowerShell scripts downloading JPG files\r\nThe following TTPs are common in both campaigns related to the scripts in Figure 7:\r\nBoth have compromised websites where the malware samples are hosted and delivered to victim machines.\r\nBoth use PowerShell scripts to download and run the samples.\r\nhttps://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html\r\nPage 7 of 13\n\nBoth PowerShell scripts download multiple malware to the victim machine. It appears the attacker is\r\nwilling to implement multiple mechanisms for infecting the victim machine once it is compromised.\r\nBoth use different samples for the multiple malware downloaded.\r\nBoth use JPG as a delivering extension.\r\nMultiple samples are delivered at the same time. In both cases, at least one sample received command line\r\narguments.\r\nAnother surprising similarity in the TTPs related to both campaigns is the path pointing to “udel_ok.ipp,”  as\r\nshown in Figure 7. This is a JavaScript file that executes with wscript.exe. Figure 8 shows the partial source code\r\nfor this JavaScript.\r\nFigure 8. Javascript executing the malware.\r\nWhat got our attention is that the samples were renamed to be similar to the naming convention of Windows\r\nupdate files (i.e., “Windows-KB275122-x86.exe”). While analyzing the samples that have been previously\r\nattributed to APT37, we noticed that the persistence mechanism in Operation Earth Kitsune uses the same naming\r\nconvention to auto-start itself through the Windows run registry key. We also found that older samples from the\r\nprevious SLUB campaigns in 2019 used a similar naming convention. Figure 9 shows that SLUB used “Windows-RT-KB-2937636.dll,” while Freenki used “Windows-KB275122-x86.exe.”\r\nhttps://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html\r\nPage 8 of 13\n\nFigure 9 Naming convention for persistence.\r\nWe can see how the Freenki malware, previous SLUB campaigns, and Operation Earth Kitsune share many\r\ncommon TTPs in their delivery and persistence mechanisms. However, these are not the only commonalities.\r\nAgain, on its own, this might not be coincidental. However, our analysis shows further similarities that imply\r\ncorrelation.\r\nGNUBoard compromised web sites\r\nIn the blog describing Operation Earth Kitsune, we noted sites using the GNUBoard Content Management System\r\n(CMS) had been compromised and were used to host malware. The malware campaigns previously attributed to\r\nAPT37 also extensively used the exploitation of web sites hosted with GNUBoard CMS. While analyzing multiple\r\nsamples, we found indicators of this strategy across the various campaigns. Figure 10 shows an example attributed\r\nto APT37 and Operation Earth Kitsune as a comparison. The SLUB campaign also exploited and used GNUBoard\r\nwebsites as part of the infrastructure. \r\nFigure 10. Websites created using GNUBoard CMS\r\nExfiltration commands\r\nhttps://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html\r\nPage 9 of 13\n\nAs mentioned in the previous report on Operation Earth Kitsune, one of the espionage backdoors, named agfSpy,\r\nreceived a “JSON” configuration with a list of native Windows commands to execute. The output of those\r\ncommands is exfiltrated back to the agfSpy command and control (C2) server. While analyzing one malware\r\npreviously attributed to APT37, it executed practically the same command sequences including the paths and\r\nextensions. Even when the threat actor was not using the “JSON” format, the commands embedded in the various\r\nsamples show a surprising amount of similarities. Figure 11 shows a comparison of the exfiltration commands\r\nbetween malware previously attributed to APT37 and Operation Earth Kitsune. Note the following similarities:\r\nThe usage of paths C:\\Users and D:\\ are similar\r\nThe searching patterns are very similar\r\nThe extension list is very similar\r\nNote that we are comparting a sample from 2016 with agfSpy, which is from 2020. It makes sense that new\r\ncampaigns coming from the same authors/groups will add new extensions like “.xlsx” to support updated versions\r\nof Office documents. It is also clear that the actual interest is on the “.hwp” extension for Korean Office document\r\nlisting support during exfiltration.\r\nFigure 11. Exfiltration command similarities.\r\nCode sharing\r\nWhen doing attribution, finding code sharing between different samples is one of the most desired discoveries.\r\nHowever, in our case, this was difficult as we are comparing samples from 2016-2017 to those developed in 2020.\r\nAt the same time, practically all code for the SLUB malware was created from scratch. Also, dneSpy and agfSpy\r\nare based on custom and newly developed code. That makes it difficult to match code similarities, and that is why\r\nmany of the indicators of code sharing are sparse across different samples.\r\nHowever, one feature that is present in the previous malware attributed to APT37 and Operation Earth Kitsune is\r\nthe screenshot capture. We tried to find how this feature evolved across previous samples and the older SLUB\r\nsamples. During the analysis, we found a clear indication of code sharing for the screenshot functionality. Figure\r\nhttps://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html\r\nPage 10 of 13\n\n12 shows a comparison between the two samples. While this code may have some related “internet code sharing\r\npost” origin, both samples share it. They also have some changes that make sense, such as removing the error\r\n“failed to take…,” since this is not required for the malware functionality. It is likely a late refactor to the code.\r\nFigure 12. Screenshot functionality comparison between SLUB and APT37\r\nWorking Hours\r\nAnalyzing the compile time of binaries between different samples can also provide a level of correlation between\r\nsamples. While malware authors can fake this, useful information can still be gleaned with enough samples. In our\r\ncase, we collected many samples across 2020, and we found that the compile dates and times follow a logical\r\ntimeline according to the malicious activity. Based on our analysis, we believe the malware author did not fake the\r\ncompile times of the binaries. Other public references also used the compiled binary time of samples attributed to\r\nAPT37. When compared to the compile times seen in Operation Earth Kitsune, there are several similarities.\r\nThe compile times that are listed on binaries provide an estimate of the threat actor's working hours and help\r\napproximate possible time zones where the malware was developed. It is fair to assume that the developers work\r\non daily working times. When you have many samples to analyze, you can refine that expectation over time.\r\nFigure 14 (below) shows a raw comparison across many samples using two time zones. We can see how the\r\nUTC+9 time zone matches those previously attributed to APT37 and those from Operation Earth Kitsune. These\r\nboth equate to the daily working times for that time zone.\r\nhttps://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html\r\nPage 11 of 13\n\nFigure 13. Compile Time APT73 and Kitsune\r\nDuring the capture of samples for Operation Earth Kitsune, we managed to dump information about the\r\nMattermostopen on a new tab server using its API and the token used by the malware itself. Mattermost was being\r\nused as a C2 channel for the malware. Part of the dumped information contained the action of the user with\r\nadministration roles on the system. That user was doing manual activities the majority of the time. At the same\r\ntime, we were able to locate the Mattermost server hosted in Greece, and that gave us the current time zone of the\r\nMattermost server. Having that reference, we plotted the actions of all users whose information we could obtain. It\r\nis important to remember that, except for the administrator user, all other accounts were used as part of the\r\nmalware deployment (SLUB malware). Figure 15 shows a plot with “Y” representing the number of actions. For\r\nexample, an action for the SYSTEM_ADMIN could be to create a user, add a user to a channel, etc. The “X” axis\r\nrepresents the hour of the day (in 24 hours). No months are plotted, so this figure is like compressing all the\r\nactivity across the full 2020-year in one day just to show the active hours in a day. All the plots are located in\r\nUTC+9.\r\nFigure 14. Mattermost server activity.\r\nhttps://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html\r\nPage 12 of 13\n\nFigure 15 shows that User_3 and User_4 have like random counts. This is because those accounts are actually the\r\nones the malware used during the infection logging activities to the Mattermost server. However, the\r\nSYSTEM_ADMIN account has a different pattern because the actions are mostly due to manual administration\r\nactivities. Unsurprisingly, the SYSTEM_ADMIN hours perfectly line up with the daily working hours at UTC+9.\r\nConclusions\r\nWhile no attribution is perfect, there are striking similarities between the malware attributed to APT37 and\r\nOperation Earth Kitsune. Little can be gleaned from each individual piece, but when viewed as a whole, the group\r\nbehind Operation Earth Kitsune is likely the same one behind the Freenki malware and other malware campaigns\r\nattributed to APT37. This is somewhat surprising, considering Operation Earth Kitsune’s espionage tools were\r\nentirely fresh-developed.\r\nWe can summarize the correlated indicators in a general form as:\r\nUse of Korean language in the system environment of the developers\r\nReuse of multiple TTPs during operation deployments:\r\n    GNUBoard compromised web sites\r\n    Multiple malware samples deployed at the same time\r\n    A similar organization in the deployment architecture\r\nReliance on public services and watering hole attacks to compromised victims\r\nSome code reuse, even when the samples are completely different otherwise\r\nWorking hours for both matches\r\nExfiltration techniques and information interest are very similar if not fully matched\r\nWhile it is always possible for another group to imitate the TTPs of a different group to confuse attribution, there\r\ndoes not seem to be any indication of that here. Instead, what we see in SLUB and Operation Earth Kitsune is the\r\nevolution of an advanced threat actor over time: one that builds on what worked in the past to become more\r\nefficient in the present. \r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html\r\nhttps://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html" ], "report_names": [ "who-is-the-threat-actor-behind-operation-earth-kitsune-.html" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "6158a31d-091c-4a5a-a82b-938e3d0b0e87", "created_at": "2023-11-17T02:00:07.61151Z", "updated_at": "2026-04-10T02:00:03.459947Z", "deleted_at": null, "main_name": "Earth Kitsune", "aliases": [], "source_name": "MISPGALAXY:Earth Kitsune", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3f6650a3-9f50-47c4-bd7a-008b63bde191", "created_at": "2022-10-25T16:07:23.949232Z", "updated_at": "2026-04-10T02:00:04.803815Z", "deleted_at": null, "main_name": "Operation Earth Kitsune", "aliases": [], "source_name": "ETDA:Operation Earth Kitsune", "tools": [ "SLUB", "WhiskerSpy", "agfSpy", "dneSpy" ], "source_id": "ETDA", "reports": null }, { "id": "b1ab5200-db35-4b65-815d-824fa842de28", "created_at": "2024-11-13T13:15:31.11592Z", "updated_at": "2026-04-10T02:00:03.766375Z", "deleted_at": null, "main_name": "APT73", "aliases": [ "Eraleig" ], "source_name": "MISPGALAXY:APT73", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434800, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c6281b1cf2f890db15e093b1bca27e9a5eb990b4.pdf", "text": "https://archive.orkl.eu/c6281b1cf2f890db15e093b1bca27e9a5eb990b4.txt", "img": "https://archive.orkl.eu/c6281b1cf2f890db15e093b1bca27e9a5eb990b4.jpg" } }