{ "id": "937ec735-d45f-4566-acc9-427604760d57", "created_at": "2026-04-06T01:30:43.464907Z", "updated_at": "2026-04-10T03:36:11.286404Z", "deleted_at": null, "sha1_hash": "c79df2fcce2eedb461be6758a3c5bf5bde96c712", "title": "An Analysis of Sidoh: WIZARD SPIDER's Exfiltration Tool | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 129616, "plain_text": "An Analysis of Sidoh: WIZARD SPIDER's Exfiltration Tool |\r\nCrowdStrike\r\nBy alexander.hanel\r\nArchived: 2026-04-06 00:17:26 UTC\r\nWIZARD SPIDER is an established, high-profile and sophisticated eCrime group, originally known for the creation and\r\noperation of the TrickBot banking Trojan. This Russia-based eCrime group originally began deploying TrickBot in 2016\r\nto conduct financial fraud, but has since evolved into a highly capable group with a diverse and potent arsenal, including\r\nRyuk, Conti and BazarLoader. Their toolset covers the entirety of the kill chain, from delivery to post-exploitation tools\r\nand big game hunting (BGH) ransomware, enabling WIZARD SPIDER to conduct a wide range of criminal activities\r\nagainst enterprise environments.\r\nSidoh (aka Ryuk Stealer) is a keyword-based exfiltration tool used by WIZARD SPIDER. Sidoh (as well as Ryuk) is the\r\nname of a character from the anime series Death Note. In the series, the character Sidoh has an item stolen by Ryuk.\r\nSince WIZARD SPIDER’s tool is used for exfiltration, the name Sidoh is fitting.\r\nWIZARD SPIDER’s Sidoh has an aura of mystery due to its rarity and the keyword list it uses to determine what data is\r\nexfiltrated. As of this blog’s publication, CrowdStrike Intelligence has observed 16 unique SHA256 hashes, with nine of\r\nthem containing unique build times (date and time of compilation) and with the first build date of June 16, 2019, and the\r\nlast build date of Jan. 18, 2020. Sidoh searches for specific file types with a fixed set of keywords. If a file matches\r\nSidoh’s criteria, it is exfiltrated via FTP to a hardcoded IP address. The list of keywords suggests the adversary is\r\nsearching for and targeting data related to government, military and financial sectors. It is unknown if WIZARD SPIDER\r\nwas using Sidoh to steal files for espionage purposes or if they were stealing files for extortion purposes. Stealing files\r\nfor espionage purposes is unusual for criminal threat actors. However, GameOver Zeus3 was a previously observed\r\ncriminal malware family that searched victim systems for files matching keywords related to foreign government\r\nofficials, military documents, classified information and terrorism. The keywords from the GameOver Zeus search\r\nqueries resemble some of those found in Sidoh. In May 2019, OUTLAW SPIDER, the operators of RobbinHood\r\nransomware, made headlines with ransoming the machines and exfiltrating data from the City of Baltimore (COB). This\r\nincident was one of the first instances observed by CrowdStrike Intelligence of data exportation to incentivize ransom\r\npayments. WIZARD SPIDER could have taken notice of the exfiltration and data leak extortion tactic and wrote Sidoh as\r\na tool to determine the value of exfiltrated data in a set of limited test runs inspired by OUTLAW SPIDER targeting of\r\nCOB. In August 2020, WIZARD SPIDER did add data exfiltration and data leak sites to the big game hunting list of\r\ntactics. Two variants of Sidoh have been observed by CrowdStrike Intelligence. The first variant was observed in mid-June 2019 and the second was observed in mid-January 2020. Both versions are similar except for bug fixes and updated\r\nkeyword lists. Upon initial analysis of the early versions of Sidoh, CrowdStike Intelligence dismissed the sample as being\r\na variant of Ryuk. This initial assessment was based on a cursory analysis of Sidoh’s WinMain function. Ryuk and Sidoh\r\nboth contain functionality that reads a file passed as a command line argument, sleeps for 5,000 microseconds and then\r\ncalls DeleteFileW to delete the file. Along with the deletion of the file, Sidoh’s code was compiled in Visual Studio,\r\ncontained the same API chains to accomplish specific functionality and the code even “felt” like Ryuk. It was only upon\r\ndeeper inspection that it was realized that the sample was not Ryuk, but a family of malware that looks to have borrowed\r\ncode from Ryuk’s source code. Even though both Sidoh and Ryuk are compiled using Visual Studio, they are not\r\ncompiled using the same build chain. For example, a Ryuk binary compiled on June 26, 2019, contains an older toolset\r\nhttps://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/\r\nPage 1 of 7\n\nthan a Sidoh binary compiled on July 8, 2019. The difference in the detected toolsets between Ryuk and Sidoh hint that\r\nthe samples were compiled on different machines with different installed versions of Visual Studio. Table 1 shows the\r\ndetected Visual Studio toolsets for the binaries.\r\nRyuk Sidoh\r\nVisual C++ 14.0.x 2015 (build 23918) Visual C++ 14.0 2015 (build 24215)\r\nVisual C++ 9.0 2008 SP1 (build 30729) Visual C++ 14.0.x 2015 (build 24210)\r\nVisual C++ 14.0.x 2015 (build 23907) Visual C++ 14.0 2015 (build 24215)\r\n \r\nVisual C++ 14.0.x 2015 (build 23918)\r\nVisual C++ 9.0 2008 SP1 (build 30729)\r\nVisual C++ 14.0.x 2015 (build 24123)\r\nTable 1. Ryuk and Sidoh detected toolsets\r\nThe exact intent of Sidoh is only known by the threat actors that operated it, but the keywords used by WIZARD\r\nSPIDER open up speculation of its targeted audience and usage of the exfiltrated data.\r\nTechnical Analysis\r\nThe following technical analysis is based on the newest version of Sidoh. Differences between the two variants are noted\r\nthroughout the text when applicable. Upon execution, Sidoh checks for the presence of a command line argument passed\r\nto it. If the argument is present, it is treated as a file path. Sidoh sleeps for 5,000 microseconds and then deletes the file if\r\nthe argument is present. Sidoh lists all available drives on the host by calling GetLogicalDrives . For each available\r\ndrive, it calls GetDriveTypeW to ensure the drive type is not DRIVE_CDROM . If the drive type is not a CD-ROM, the drive\r\npath’s contents are searched. After the drives have been searched, Sidoh attempts to search the contents of hosts that have\r\nIP addresses present within the compromised host’s ARP entries. The ARP entries are retrieved by calling\r\nGetIpNetTable . For each entry, Sidoh attempts to mount the IP address from within the entry as a network drive, using\r\nServer Message Block (SMB), and then proceeds to search the drive.\r\nTo enumerate files on disk, Sidoh calls FindFirstFileW and FindNextFileW . Sidoh contains a deny list targeting\r\nspecific file types of folder names. Table 2 shows a block list of folders and file names whose contents are ignored by\r\nSidoh.\r\n     \r\nSample Music Sample Pictures $Recycle.Bin\r\nTor Browser Package Cache RyukReadMe.txt**\r\nmicrosoft UNIQUE_ID_DO_NOT_REMOVE** PUBLIC\r\nwindows PerfLogs Windows\r\nProgramData Firefox Intel\r\nhttps://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/\r\nPage 2 of 7\n\nMozilla Microsoft $WINDOWS\r\nProgram Files \\\\Users\\\\Public\\\\Pictures MySQL\r\nlog .dll AhnLab\r\nTable 2. Sidoh folder name block list\r\nSome of the names in Table 2 are not directories (e.g., .dll ). The fields that end with ** are names that are artifacts\r\nfrom a Ryuk infection. For example, RyukReadMe.txt was the name for Ryuk ransom notes before WIZARD SPIDER\r\nswitched the ransom note to HTML. Sidoh does not attempt to exfiltrate files over 50MB, and earlier variants would not\r\nexfiltrate files over 20MB. If a file is over 50MB, it is ignored. Along with folders names, Sidoh has an allow list of file\r\nextensions. Earlier variants contained the file extension .RYK , which is appended to files after being encrypted by Ryuk.\r\nThe presence of the string related to Ryuk suggests that Sidoh was either derived from the Ryuk source code or designed\r\nto be compatible with systems that have been encrypted by Ryuk. Table 3 contains the block list of file extensions for\r\nvariant 2. The newer list is more extensive, likely with an end goal of speeding up time spent scanning the host for files.\r\n             \r\n.exe .sdi .pem .sys .xpi .rsm .msc\r\n.msi .dic .ibd .ddf .mp3 .wbverify .ascx\r\n.dll .pyd .db .sqlite cached .tmp .css\r\n.lnk .qml .h .ttf ppt .cat .browser\r\n.sdi .js .lib .cdx ppsm .asp .bmp\r\n.wim .png .microsoft .thmx cached .config .url\r\n.chm .log .txmx .new wtv .inf .search-ms\r\n.vicache .ini .tif .little NTUSER .din .wmv\r\n.chm .lnk .iobj .cdx .contact .oem .icml\r\n.xml .cab .ipdb .gif .wbcat .ps1 readme\r\nTable 3. Sidoh file extension name block list\r\nIf the filename contains an extension of .cpp , .h .xls , .xlsx , .doc , .docx , . docb , .pdf or\r\nwallet.dat , an attempt to automatically exfiltrate the file is made. Early variants also included .txt and .gov file\r\nextension but were removed. Further details about the attempt are described in the next section, Exfiltration and\r\nInfrastructure. If the filename does not contain one of the previously mentioned file extensions, the filename is then\r\nchecked against the keyword list in Table 4. If the filename contains one of the keywords in the following table, the file is\r\nexfiltrated.\r\n             \r\nhttps://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/\r\nPage 3 of 7\n\nSECURITY marketwired fbi Secret war victim federal\r\nN-CSR 10-Q csi scheme suspect court bureau\r\n10-SB 10Q gun tactical cyber hidden government\r\nEDGAR 8K NATO Engeneering document bribery security\r\nspy fraud Nato explosive treasonrestricted contraband unclassified\r\nradar hack convictMilitary drug private operation concealed\r\ncensored NSA military traitor confident undercover newswire\r\nagent FBI submarine embeddedspy important clandestine marketwired\r\nnewswire CSI Submarinesecret radio pass investigation Clearance\r\nTable 4. Sidoh file name exfiltration keyword list\r\nEarly variants of Sidoh contained functionality to search the contents of .docx or .xlsx files. To search the contents\r\nof .docx or .xlsx files, Sidoh must first parse the file type. Modern Microsoft Office documents are stored in the\r\nMicrosoft Open XML (MOX) format. This format primarily consists of a ZIP file with XML data. Before decompressing\r\nthe ZIP file, Sidoh would import a Dynamic Link Library (DLL) named libzip.dll . It is derived from the open-source\r\nC library, libzip, which can be used for reading, writing and modifying ZIP files. This library is not installed on Windows\r\nby default. In order to execute properly, these early variants of Sidoh would need libzip.dll to be present within the\r\nworking directory or within the standard DLL search order. The Sidoh executable and libzip.dll are likely written to\r\ndisk by a dropper. Once the libzip has been imported, it is used to decompress the document. Once decompressed, Sidoh\r\nreads the path word/document.xml for .docx files and xl/worksheets/sheet*.xml for .xlsx . The contents are read\r\ninto a buffer and then searched for the keywords in Table 5. The bug existed in how Sidoh searched .xlsx for\r\nkeywords. Data from rows and columns in Excel spreadsheets are not stored in xl/worksheets/sheet*.xml but are\r\nstored at the path xl/SharedStrings.xml . Therefore, the .xlsx file data that Sidoh reads and searches only contains\r\nthe mapping of the rows and columns to fields in SharedStrings.xml but none of the text that would contain the\r\nkeywords being searched for. The reading and searching of\r\n.docx or .xlsx was removed in the newest variant, likely because of the described error. Newer variants simply read\r\nthe contents of the file and search for one of the keywords in Table 5.\r\n             \r\npersonal censored traitor checking clandestine seed Olivia\r\nsecurityN-CSR10-\r\nSBEDGAR\r\nbribery suspect saving illegal personal Noah\r\nspy contraband cyber routing compromate confident Ava\r\nradaragentnewswire operation document finance privacy mail William\r\nmarketwired gun embeddedspy agreement private letter Isabella\r\nhttps://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/\r\nPage 4 of 7\n\n10-Q attack radio SWIFT contract passport James\r\n10Q military war BIC concealed victim** Sophia\r\n8K tank submarine IBAN backdoorundercover court Logan\r\nfraud convict fbi license clandestine id Clearance\r\nhack scheme restricted Compilation investigation NATO  \r\nNSA tactical secret report federal Nato  \r\nFBI Engeneering CSI secret bureau scans  \r\ndefence explosive balance confident government Emma  \r\ntreason drug statement hidden security Liam  \r\nTable 5. Sidoh file name exfiltration keyword list\r\nThe lists in Table 4 and Table 5 contain many words that are misspelled (e.g., Engeneering) or two words concatenated\r\n(e.g., treasonrestricted). These errors hint that this list was hastily imputed or never reviewed. Further details about the\r\nattempts to upload the files are described next.\r\nExfiltration and Infrastructure\r\nSidoh uploads documents that match the search criteria to a command-and-control (C2) IP address via FTP with a hard-coded username and password of anonymous . If the FTP server is not available, Sidoh typically contains a backup IP\r\naddress that it can use. One variant of Sidoh did not contain a backup IP address. Once connected, the files are uploaded\r\nto a hard-coded directory with four random digits prefixing the original filename. If the connections fail, Sidoh sleeps for\r\na random amount of time (between 0 and 125 seconds) and then tries to connect again. Sidoh does not keep an active\r\nconnection to the FTP server but continuously logs into the FTP server.\r\nIf during the exfiltration process Sidoh fails to connect to the C2 after three attempts, it scans the filename or contents of\r\nfiles with an extension of .cpp , .xls , .xlsx , . doc , .docx , .docb or .pdf for the targeted keywords to\r\ndetermine if additional effort should be made to exfiltrate those files. If there is a match, Sidoh makes another three\r\nconnection attempts. After each failed connection, Sidoh will sleep for a random amount of time (between 0 and 125\r\nseconds) between each attempt. If all attempts to connect to the C2 fail, Sidoh discards the current file being uploaded\r\nand continues to search for more files to exfiltrate. Table 6 contains all known Sidoh IP addresses and observed folder\r\npaths for uploading exfiltrated files.\r\nIP Address IP Address Upload Path Build Time\r\n109.236.92\u003c.\u003e162 N/A /upload/files/a7 2019-06-16 21:20:14\r\n109.236.92\u003c.\u003e162 185.254.121\u003c.\u003e157 N/A 2019-06-21 08:30:19\r\n185.254.121\u003c.\u003e157 109.236.92\u003c.\u003e162 /upload/files/military2 2019-06-22 03:37:21\r\n185.254.121\u003c.\u003e157 109.236.92\u003c.\u003e162 /upload/files/3 2019-07-08 17:21:37\r\nhttps://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/\r\nPage 5 of 7\n\n185.254.121\u003c.\u003e157 109.236.92\u003c.\u003e162 /upload/files/sharpsec 2019-07-11 22:26:03\r\n185.254.121\u003c.\u003e157 109.236.92\u003c.\u003e162 upload/files/a71 2019-07-17 12:12:37\r\n66.42.76\u003c.\u003e46 N/A /files_server/a8-5 2019-08-18 19:45:35\r\n66.42.108\u003c.\u003e141 45.76.1\u003c.\u003e57 /test50/fx3-92 2020-01-18 23:44:40\r\n66.42.108\u003c.\u003e141 45.76.1\u003c.\u003e57 /test50/fx3-92 2020-01-19 00:11:32\r\nTable 6. Sidoh IP addresses, upload paths and build times\r\nDue to reallocation, the IP addresses in Table 6 should not be used for blocking.\r\nSHA256 Build Time\r\ndf6847bbf7e75ded54028081f5f27abb199562409aee6e20f99abcda5b48fb51 2019-06-16 21:20:14\r\nf07079472f1cb0247f530001f02d6189443146a719d986bca750ee9b1139e84f 2019-06-21 08:30:19\r\na1ce52437252001b56c9ccd2d2da46240dc38db8074a5ed39a396e8c8e387fc2 2019-06-22 03:37:21\r\ne6762cb7d09cd90d5469e3c3bfc3b47979cd67aa06c06e893015a87b0348c32c 2019-07-08 17:21:37\r\n6f06e5a8bdf983ec73177ef63ea053d391b46915a7dd1fbd0ddea5c70471f593 2019-07-11 22:26:03\r\ncc4a0b4080844e20fb9535679f7b09a3e2449729ce1815d1e5a64272b0225465 2019-07-17 12:12:37\r\nc64269a64b64b20108df89c4f1a415936c9d9923f8761d0667aa8492aa057acb 2019-08-18 19:45:35\r\na8c4703fab7d2548701523b4c215d7cb57d337cc243046647bda18d4e6690853 2020-01-18 23:44:40\r\n5794ce98af725b29ae32280909a725812a89fd4ecdbbf7f121b83f031526a967 2020-01-19 00:11:32\r\nTable 7. Sidoh SHA256 Hashes and Build Time\r\nConclusion\r\nWIZARD SPIDER is one of the most sophisticated groups tracked by CrowdStrike. Their threat arsenal ranges from\r\nbanking trojans to spam bots to ransomware — with all of these tools designed with an end result of getting money from\r\ntheir victims. Some of these tools have been short-lived, but the diversity in tooling used by WIZARD SPIDER\r\ndemonstrates their desire to use new strategies to monetize their attacks. It is unknown if Sidoh is one such strategy that\r\nexperimented with monetizing victims by stealing potentially sensitive or proprietary data, or if Sidoh was used by\r\nWIZARD SPIDER to steal data from specific victims at the request of a third party. There is even the possibility that the\r\noriginal Hermes source code (which Ryuk was derived from) was modified to be Sidoh, and the threat actors added the\r\nRyuk file artifact references as a false flag. But the likely and simplest solution is Sidoh was used in rare instances to\r\nautomatically steal data from compromised hosts by WIZARD SPIDER.\r\nAs of this publication date, CrowdStrike has not observed Sidoh within the telemetry of our customers. If your company\r\nwas a victim of Sidoh and you have further details you’d be willing to share, please reach out to CrowdStrike\r\nIntelligence.\r\nhttps://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/\r\nPage 6 of 7\n\nAdditional Resources\r\nFor more intel about WIZARD SPIDER, visit the CrowdStrike Adversary Universe.\r\nTo find out how to incorporate intelligence on threat actors into your security strategy, visit the CROWDSTRIKE\r\nFALCON® INTELLIGENCE™ Threat Intelligence page.\r\nLearn about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product webpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ to see for yourself how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/\r\nhttps://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/\r\nPage 7 of 7\n\npaths for uploading IP Address exfiltrated files. IP Address Upload Path Build Time\n109.236.92\u003c.\u003e162 N/A /upload/files/a7 2019-06-16 21:20:14\n109.236.92\u003c.\u003e162 185.254.121\u003c.\u003e157 N/A 2019-06-21 08:30:19\n185.254.121\u003c.\u003e157 109.236.92\u003c.\u003e162 /upload/files/military2 2019-06-22 03:37:21\n185.254.121\u003c.\u003e157 109.236.92\u003c.\u003e162 /upload/files/3 2019-07-08 17:21:37\n Page 5 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/" ], "report_names": [ "sidoh-wizard-spiders-mysterious-exfiltration-tool" ], "threat_actors": [ { "id": "25758a84-d695-44e7-9cd5-3c6e999ce6c0", "created_at": "2023-01-06T13:46:39.237624Z", "updated_at": "2026-04-10T02:00:03.255835Z", "deleted_at": null, "main_name": "OUTLAW SPIDER", "aliases": [], "source_name": "MISPGALAXY:OUTLAW SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "c240435e-8863-4e5b-9f47-20c6f5c52131", "created_at": "2022-10-25T16:07:23.253019Z", "updated_at": "2026-04-10T02:00:04.505012Z", "deleted_at": null, "main_name": "Outlaw Spider", "aliases": [], "source_name": "ETDA:Outlaw Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439043, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c79df2fcce2eedb461be6758a3c5bf5bde96c712.pdf", "text": "https://archive.orkl.eu/c79df2fcce2eedb461be6758a3c5bf5bde96c712.txt", "img": "https://archive.orkl.eu/c79df2fcce2eedb461be6758a3c5bf5bde96c712.jpg" } }