{ "id": "81ca8c61-f678-4e46-a979-52d469653cfc", "created_at": "2026-04-06T00:09:21.351775Z", "updated_at": "2026-04-10T03:36:33.537217Z", "deleted_at": null, "sha1_hash": "c7b97c6f04613f6b58495874253d1928dfa64fc5", "title": "Chinese APT Abuses VSCode to Target Government in Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2066878, "plain_text": "Chinese APT Abuses VSCode to Target Government in Asia\r\nBy Tom Fakterman\r\nPublished: 2024-09-06 · Archived: 2026-04-05 14:11:40 UTC\r\nExecutive Summary\r\nUnit 42 researchers recently found that Stately Taurus abused the popular Visual Studio Code software in\r\nespionage operations targeting government entities in Southeast Asia. Stately Taurus is a Chinese advanced\r\npersistent threat (APT) group that carries out cyberespionage attacks.\r\nThis threat actor used Visual Studio Code’s embedded reverse shell feature to gain a foothold in target networks.\r\nThis is a relatively new technique that a security researcher discovered in 2023. According to our telemetry, this is\r\nthe first time a threat actor used it in the wild.\r\nWe assess that this campaign is a direct continuation of a previously reported campaign that we attributed with\r\nmoderate-high confidence to Stately Taurus. We come to this conclusion based on consideration of the TTPs,\r\ntimeline and victimology targeting government entities in Southeast Asia.\r\nWe will also discuss a connection between the Stately Taurus activity and a second cluster of activity occurring\r\nsimultaneously in the same targeted environment that leveraged the ShadowPad backdoor.\r\nPalo Alto Networks customers receive better protection against threats discussed in this article through the\r\nfollowing products and services, which we detail further in the Conclusion section:\r\nAdvanced WildFire\r\nAdvanced URL Filtering\r\nAdvanced DNS Security\r\nCortex XDR\r\nCortex XSIAM\r\nPrisma Cloud Compute\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nThe Rare Use of Visual Studio Code Abuse\r\nOne of the novel techniques Stately Taurus used to bypass security protections leverages Visual Studio Code’s\r\nembedded reverse shell feature to execute arbitrary code and deliver additional payloads. Truvis Thornton\r\ndescribed this technique in a Medium post in September 2023, but this is the first time we’ve observed threat\r\nactors abusing this technique in the wild.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/\r\nPage 1 of 11\n\nTo abuse Visual Studio Code for malicious purposes, an attacker can use the portable version of code.exe (the\r\nexecutable file for Visual Studio Code), or an already installed version of the software. By running the command\r\ncode.exe tunnel, an attacker receives a link that requires them to log into GitHub with their own account.\r\nAfter logging in, the attacker is redirected to a Visual Studio Code web environment that is connected to the\r\ncompromised machine. They are then permitted to execute commands and scripts, and to create new files on the\r\ninfected machine.\r\nStately Taurus used this technique to deliver malware to infected environments, perform reconnaissance and\r\nexfiltrate sensitive data. To establish constant access to the reverse shell, the attacker created persistence for a\r\nscript named startcode.bat using a scheduled task that is responsible for starting the shell.\r\nFigure 1 shows the process tree for code.exe abuse in Cortex XDR.\r\nFigure 1. Process tree of the code.exe abuse in Cortex XDR.\r\nThe Connection to Stately Taurus\r\nIn September 2023, we discussed a campaign that was attributed to Stately Taurus, which leveraged the ToneShell\r\nbackdoor as one of its main tools. During this campaign, Stately Taurus used ToneShell to archive files for\r\nexfiltration, protecting the RAR archives with a unique password.\r\nThe password was 13 characters long, using upper and lower case letters as well as digits. By tracking this unique\r\npassword in our telemetry, we were able to find additional Stately Taurus activity in the same targeted\r\nenvironment.\r\nWe concluded that this campaign is a continuation of the Stately Taurus activity we reported in this campaign due\r\nto the following factors:\r\nThe use of the same unique password\r\nAdditional TTPs\r\nTimeline\r\nVictimology targeting governmental entities in Southeast Asia\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/\r\nPage 2 of 11\n\nFigure 2 presents the connections between the components of Stately Taurus.\r\nFigure 2. Connections between different components of the campaign and the unique Stately Taurus\r\npassword.\r\nStately Taurus (aka Mustang Panda, BRONZE PRESIDENT, RedDelta, Luminous Moth, Earth Preta and Camaro\r\nDragon) has been operating since at least 2012. Stately Taurus is a Chinese APT group that routinely conducts\r\ncyberespionage campaigns targeting government entities, as well as religious and other nongovernmental\r\norganizations across Europe and Asia.\r\nAdditional TTPs Related to the Stately Taurus Cluster\r\nSshd.exe: The attacker used OpenSSH (sshd.exe) to execute commands, transfer files and spread across the\r\nenvironment as shown in Figure 3. OpenSSH allows the user to connect to a remote machine via SSH.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/\r\nPage 3 of 11\n\nFigure 3. Sshd.exe used for lateral movement shown in Cortex XDR.\r\nSharpNBTScan: The attackers used SharpNBTScan (renamed as win1.exe) to perform scanning in the\r\nenvironment\r\nListeners.bat: On some occasions the attackers used a batch file named Listeners.bat to archive files for\r\nexfiltration\r\nExfiltration\r\nAs part of this operation, Stately Taurus attempted to exfiltrate sensitive information from different machines. The\r\nattacker executed rar.exe remotely via SMB. Next, they tried to iterate and archive all drives from A-Z on remote\r\nmachines, as shown in Figure 4.\r\nFigure 4. Attacker uses code.exe to archive folders from remote machines shown in Cortex XDR.\r\nTo exfiltrate the archived files, the attacker used curl to upload the files to Dropbox, which is a legitimate file\r\nhosting service. The attacker used this service to blend in and exfiltrate the data without drawing too much\r\nattention.\r\nStately Taurus used the same technique previously, as described in our previous article. Figure 5 below shows the\r\ncommand line the attacker used for exfiltration.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/\r\nPage 4 of 11\n\nFigure 5. Data exfiltration using Dropbox.\r\nThe Connection to a ShadowPad Activity\r\nWhile investigating the Stately Taurus cluster, we observed another cluster of activity in the same environment,\r\noccurring simultaneously and at times even on the same endpoints. This cluster of activity used the ShadowPad\r\nbackdoor as its main tool, from which attackers launched other activity. ShadowPad is modular malware that has\r\nbeen in use by multiple Chinese threat actors since at least 2017.\r\nThe connection between these two clusters includes the following overlap:\r\nFollowing the origins of Listeners.bat (used in the Stately Taurus cluster) on an infected machine, we\r\nobserved that the same network session that wrote Listeners.bat, wrote additional files and malware\r\nincluding the ShadowPad backdoor.\r\nListeners.bat also used the same unique password that the ToneShell backdoor from the Stately Taurus\r\ncluster used. Figure 6 depicts this connection.\r\nFigure 6. The observed connection between Listener.bat of Stately Taurus and ShadowPad.\r\nAs of mid-August 2024, it is unclear whether these two clusters originated from the same threat actor. The fact\r\nthat the two files originated from the same network session might indicate a connection between the ShadowPad\r\nactivity to the VSCode activity linked to Stately Taurus.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/\r\nPage 5 of 11\n\nThere could also be other possible scenarios to explain this connection. For example, it could be a joint effort\r\nbetween two Chinese APT groups or perhaps two different groups piggybacking on each other’s access.\r\nThe ShadowPad Activity\r\nOne of the main tools used in this cluster is the ShadowPad backdoor.\r\nIn the cluster described in this section, the attacker abused the legitimate process imecmnt.exe via DLL\r\nsideloading to load the ShadowPad module (imjp14k.dll). Imecmnt.exe is a Microsoft Office Input Method Editor\r\n(IME) component.\r\nTo keep ShadowPad running on victim machines, the attacker created persistence via a service. These service\r\nnames are listed in the Indicators of Compromise section below.\r\nFigure 7 shows how ShadowPad (imecmnt.exe renamed as update.exe to appear less suspicious) spawns and\r\ninjects code into wmplayer.exe, which in turn spawns and injects code into dllhost.exe.\r\nFigure 7. ShadowPad infection in Cortex XDR.\r\nFurther TTPs related to the ShadowPad activity can be found in the Appendix section of the blog.\r\nConclusion\r\nIn this follow-up post, we shared new TTPs the Stately Taurus APT group used in an espionage campaign that\r\ntargeted government entities in Southeast Asia. One of the most noteworthy techniques that we observed in this\r\ncampaign is the abuse of Visual Studio Code for executing malicious code and gaining a foothold in the infected\r\nenvironment. According to our telemetry, this is the first time attackers have used this technique in the wild.\r\nIn addition, we examined a connection we encountered between the Stately Taurus activity cluster and another\r\ncluster that used the ShadowPad backdoor in the same environment. As of mid-August 2024, the connection\r\nbetween these two clusters remains uncertain.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/\r\nPage 6 of 11\n\nBased on the forensic evidence and timeline, one could conclude that these two clusters originated from the same\r\nthreat actor (Stately Taurus). However, there could be other possible explanations that can account for this\r\nconnection, such as a collaborative effort between two Chinese APT threat actors.\r\nWe encourage organizations to leverage our findings to inform the deployment of protective measures to defend\r\nagainst this threat group.\r\nProtections and Mitigations\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ngroup:\r\nAdvanced WildFire cloud-delivered malware analysis service accurately identifies the known samples as\r\nmalicious.\r\nAdvanced URL Filtering and Advanced DNS Security identify IP addresses associated with this group as\r\nmalicious.\r\nCortex XDR and XSIAM are designed to:\r\nPrevent the execution of known malicious malware and prevent the execution of unknown malware\r\nusing Behavioral Threat Protection as well as machine learning based on the Local Analysis\r\nmodule.\r\nProtect against credential gathering tools and techniques using the new Credential Gathering\r\nProtection available from Cortex XDR 3.4.\r\nProtect from threat actors dropping and executing commands from web shells using Anti-Webshell\r\nProtection, newly released in Cortex XDR 3.4.\r\nProtect against exploitation of different vulnerabilities including ProxyShell and ProxyLogon using\r\nthe Anti-Exploitation modules as well as Behavioral Threat Protection.\r\nDetect post-exploit activity, including credential-based attacks, with behavioral analytics, through\r\nCortex XDR Pro.\r\nPrisma Cloud Compute and Advanced WildFire integration can help detect and prevent malicious\r\nexecution of the malware within Windows-based VM, container and serverless cloud infrastructure.\r\nIf you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nIndicators of Compromise\r\nStately Taurus Cluster\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/\r\nPage 7 of 11\n\nSharpNBTScan\r\n506fc87c8c96fef1d2df24b0ba44c8116a9001ca5a7d7e9c01dc3940a664acb0\r\nListeners.bat\r\naa2c0de121ae738ce44727456d97434faff21fc69219e964e1e2d2f1ca16b1c5\r\n8fdac78183ff18de0c07b10e8d787326691d7fb1f63b3383471312b74918c39f\r\n39ceb73bcfd1f674a9b72a03476a9de997867353172c2bf6dde981c5b3ad512a\r\nShadowpad Cluster\r\nShadowPad\r\n0f11b6dd8ff972a2f8cb7798b1a0a8cd10afadcea201541c93ef0ab9b141c184\r\n456e4dae82a12bcda0506a750eac93bf79cc056b8aad09ec74878c90fd67bd8f\r\nbdadcd2842ed7ba8a21df7910a0acc15f8b0ca9d0b91bebb49f09a906ae217e6\r\nShadowPad C2\r\n216.83.40[.]84\r\nShadowPad Service Names\r\nWindowsMailServices\r\ntest12\r\nWindowsEdgeUpdateServices\r\nWindowsMailServices\r\nJavaservice\r\nWindowsEdgeUpdateServices\r\nMimikatz\r\nac34e1fb4288f8ad996b821c89b8cd82a61ed02f629b60fff9eb050aaf49fc31\r\nIn-Swor\r\n440e7bce4760b367b46754a70f480941a38cd6cd4c00c56bbaeb80b9c149afb1\r\n5bfc45f7fce27d05e753a61dde5fab623efff3e4df56fb6a0cf178a0b11909ce\r\nfb0c4db0011ee19742d7d8bd0558d8ee8be2ef23c4c61a3e80a34fba6c96f3ff\r\n965dd0b255f05ff012d2f152e973e09ceb9e95b6239dc820c8ac4d4492255472\r\nLsass-dump-main\r\nacedfe9c662c2666787cbbf8d3a0225863bab2c239777594b003381244ed81ba\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/\r\nPage 8 of 11\n\nTscan\r\ncca63c929f2f59894ea2204408f67fc1bff774bb7164fde7f42d0111df9461bd\r\nLaZagne\r\n3cc5ee93a9ba1fc57389705283b760c8bd61f35e9398bbfa3210e2becf6d4b05\r\nShadowPad Cluster Attacker C2\r\n185.132.125[.]72\r\nAppendix: Further Activity Related to ShadowPad\r\nThe threat actor used the following tools to perform reconnaissance in victim environments:\r\nTscan: The attacker used a variation of the open-source tool fscan, which they named Tscan. Tscan’s\r\ncapabilities include scanning, password spraying and command execution.\r\nFigure 8 shows the Tscan banner and help menu, and Figure 9 shows Tscan (ts.exe) being detected for performing\r\na port scan.\r\nFigure 8. Tscan banner and help menu snippet.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/\r\nPage 9 of 11\n\nFigure 9. Tscan detected for performing a port scan in Cortex XDR.\r\nADExplorer64.exe: The attacker attempted to use the utility AD Explorer on the victim’s Active Directory.\r\nThis tool allows its user to easily query an Active Directory database.\r\nCredential Theft\r\nThe attacker attempted to use different methods to dump credentials. The following is a list of each method:\r\nIn-Swor: The attacker attempted to use an open-source tool named In-Swor to execute Mimikatz, as shown\r\nin Figure 10. In-Swor appears to have a Chinese-speaking author and it is described as a penetration tool\r\nmeant to bypass antivirus products.\r\nAccording to the tool’s GitHub page, the current modules that are available for the tool include: mimikatz, frpc,\r\nbypassuac, elevation, killAV and fscan.\r\nFigure 10. In-Swor (wk.exe) prevented attempting to load Mimikatz in Cortex XDR.\r\nMimikatz: The attacker attempted to dump credentials from memory using the known credential-harvesting tool MimiKatz (named setup1.exe)\r\nLaZagne: The threat actor attempted to use the LaZagne tool to access passwords in infected systems.\r\nLaZagne is an open-source tool used to recover stored passwords from systems.\r\nLsass-dump-main: To retrieve passwords, the threat actor attempted to use what appeared to be a custom\r\ntool to dump the memory of the lsass.exe process to disk. Figure 11 shows the output of this tool.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/\r\nPage 10 of 11\n\nFigure 11. Output from the Lsass-dump-main tool.\r\nStealing the NTDS.dit File: To steal Active Directory data, the attacker attempted to steal NTDS.dit as\r\nshown in Figure 12. NTDS.dit is an Active Directory database that stores information about user objects,\r\ngroups, group membership and (most importantly) password hashes.\r\nFigure 12. Alert for dump of NTDS.dit in Cortex XDR.\r\nTo steal the NTDS.dit file, the threat actor used Vssadmin to create a volume shadow copy on the Domain\r\nController, which allowed the attacker to access the NTDS.dit file. Next, the attacker dumped the SYSTEM hive\r\nfrom the registry, which contains the boot key that is required to decrypt the NTDS.dit file.\r\nPSEXESVC.exe: The attacker used the popular PsExec utility for lateral movement across the victim’s\r\nenvironment. PsExec allows the execution of processes on remote systems.\r\nWindows Management Instrumentation (WMI): The threat actor used WMI to execute remote\r\nprocesses in the environment. WMI allows the execution of processes on local and remote systems.\r\nSource: https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/" ], "report_names": [ "stately-taurus-abuses-vscode-southeast-asian-espionage" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "fad89cb7-83e8-4d8c-8cf8-dce2c6e54479", "created_at": "2023-10-27T02:00:07.764261Z", "updated_at": "2026-04-10T02:00:03.378226Z", "deleted_at": null, "main_name": "Camaro Dragon", "aliases": [], "source_name": "MISPGALAXY:Camaro Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434161, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c7b97c6f04613f6b58495874253d1928dfa64fc5.pdf", "text": "https://archive.orkl.eu/c7b97c6f04613f6b58495874253d1928dfa64fc5.txt", "img": "https://archive.orkl.eu/c7b97c6f04613f6b58495874253d1928dfa64fc5.jpg" } }