{
	"id": "fb342720-a9be-4b82-9f9d-9fbb377313e7",
	"created_at": "2026-04-06T00:13:06.90165Z",
	"updated_at": "2026-04-10T13:13:01.200305Z",
	"deleted_at": null,
	"sha1_hash": "d3ab06012533c4c254aa8f04cc3ececea7c9d325",
	"title": "From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1193248,
	"plain_text": "From CastleLoader to CastleRAT: TAG-150 Advances Operations\r\nwith Multi-Tiered Infrastructure\r\nBy Insikt Group®\r\nArchived: 2026-04-05 18:50:43 UTC\r\nExecutive Summary\r\nInsikt Group has identified a new threat actor, TAG-150, active since at least March 2025, characterized by rapid\r\ndevelopment, technical sophistication, responsiveness to public reporting, and a large, evolving infrastructure. The\r\ninfrastructure linked to TAG-150 includes both victim-facing Tier 1 components, such as IP addresses and\r\ndomains used as command-and-control (C2) servers for multiple malware families, and higher-tier infrastructure\r\ncomposed of multiple layers. Since emerging in March 2025, TAG-150 has deployed multiple likely self-developed malware families, starting with CastleLoader and CastleBot, and most recently CastleRAT, a remote\r\naccess trojan documented here for the first time. Additionally, Insikt Group has identified multiple services likely\r\nleveraged by TAG-150, including file-sharing platforms, anti-detection services, and others.\r\nTo protect against TAG-150, security defenders should block IP addresses and domains tied to associated loaders,\r\ninfostealers, and RATs, flag and potentially block connections to unusual LIS such as Pastebin, and deploy\r\nupdated detection rules (YARA, Snort) for current and historical infections. Other controls include implementing\r\nemail filtering and data exfiltration monitoring. See the Mitigations section for implementation guidance and\r\nAppendix A for a complete list of indicators of compromise (IoCs). In the long term, analysts should continuously\r\nmonitor the cybercriminal ecosystem for emerging threats and adapt controls accordingly.\r\nKey Findings\r\nInsikt Group uncovered a large infrastructure set operated by the threat actor tracked as TAG-150, known\r\nfor deploying malware such as CastleLoader. The infrastructure follows a multi-tiered model, with victim-facing Tier 1 servers as well as higher-level Tier 2, Tier 3, and Tier 4 infrastructure.\r\nIn addition, Insikt Group identified a new remote access trojan linked to TAG-150, dubbed CastleRAT.\r\nAvailable in both Python and C variants, CastleRAT's core functionality consists of collecting system\r\ninformation, downloading and executing additional payloads, and executing commands via CMD and\r\nPowerShell.\r\nFurther analysis also provides insights into TAG-150’s broader tool set and operational ecosystem, which\r\nleverages multiple file-sharing services, messaging platforms, and specialized utilities, including the anti-detection service Kleenscan (kleenscan[.]com).\r\nBackground\r\nTAG-150 is Insikt Group’s designation for the threat actor linked to the development and use of the malware\r\nfamilies CastleLoader, CastleBot, and, more recently, CastleRAT. They have been active since at least March 2025\r\nhttps://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations\r\nPage 1 of 11\n\n(see Figure 1). These malware families are frequently observed as initial infection vectors that deliver a wide\r\nrange of secondary payloads, including SectopRAT, WarmCookie, HijackLoader, NetSupport RAT, as well as\r\nnumerous information stealers such as Stealc, RedLine Stealer, Rhadamanthys Stealer, DeerStealer, MonsterV2,\r\namong others (1, 2).\r\nFigure 1: Timeline of TAG-150 activity (Source: Recorded Future)\r\nInfections are most commonly initiated through Cloudflare-themed “ClickFix” phishing attacks or fraudulent\r\nGitHub repositories masquerading as legitimate applications. The operators employ the ClickFix technique by\r\nleveraging domains that imitate software development libraries, online meeting platforms, browser update alerts,\r\nand document verification systems. Victims are tricked into copying and executing malicious PowerShell\r\ncommands on their own devices, thereby enabling the compromise. Public reporting indicates that although\r\noverall clicks and downloads were limited, the 28.7% infection rate among victims who interacted with malicious\r\nlinks underscores the effectiveness of TAG-150.\r\nPrior public reporting has suggested that TAG-150 operates on a Malware-as-a-Service (MaaS) model, which is\r\nsupported by its use in delivering a wide variety of second-stage payloads, the number of observed CastleLoader\r\nadmin panels, and the presence of features commonly associated with MaaS platforms (as noted by PRODAFT).\r\nHowever, Insikt Group has not identified any advertisements or discussions of such services on underground\r\nforums. Furthermore, Recorded Future Network Intelligence analysis suggests that TAG-150 primarily interacts\r\nwith its associated infrastructure, with only a small number of other IP addresses, potentially linked to external\r\ncustomers or affiliates, communicating with it. This network traffic, potentially associated with external customers\r\nor affiliates, is largely connected to Tor nodes, which complicates its classification.\r\nInfrastructure Analysis\r\nInsikt Group identified an extensive, multi-tiered infrastructure tied to TAG-150. The infrastructure consists of\r\nTier 1 victim-facing C2 servers associated with malware families such as CastleLoader, SecTopRAT,\r\nhttps://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations\r\nPage 2 of 11\n\nWarmCookie, and the newly discovered CastleRAT, as well as Tier 2, Tier 3, and Tier 4 servers, the latter of which\r\nare likely used for backup purposes. Figure 2 provides an overview of the entire infrastructure, while subsequent\r\nsections explore each component in greater detail.\r\nFigure 2: Multi-tiered infrastructure linked to TAG-150 (Source: Recorded Future)\r\nMulti-Tiered Infrastructure\r\nTier 1\r\nTier 1 infrastructure comprises numerous C2 servers associated with various malware families, such as\r\nCastleLoader, CastleRAT, SecTopRAT, and WarmCookie, among others. These servers are generally managed\r\nthrough Tier 2 servers, though in some cases, Tier 3 servers interact directly with them.\r\nCastleLoader\r\nInsikt Group identified a significant number of CastleLoader C2 servers associated with TAG-150, as outlined in\r\nAppendix B. These servers’ IP addresses often host domains registered through NameCheap, Inc. or TUCOWS,\r\nINC., though the domains do not adhere to any consistent naming convention. While CastleLoader C2\r\ninfrastructure has been observed across various autonomous system numbers (ASNs), a considerable portion is\r\ntied to the hosting providers servinga GmbH, FEMO IT SOLUTIONS LIMITED, and Eonix Corporation. FEMO\r\nIT SOLUTIONS LIMITED is assessed as a threat activity enabler (TAE) and is actively tracked by Insikt Group.\r\nAmong the domains analyzed, panelv1[.]hostingzealoft[.]today stood out, as it mimics the legitimate domain of a\r\nknown hosting provider, hostingzealot[.]com, which also hosts the IP address associated with this domain. The\r\nreason for this naming choice remains unclear. Beyond this, TAG-150 does not seem to follow a consistent\r\nnaming convention or thematic pattern across the other domains.\r\nhttps://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations\r\nPage 3 of 11\n\nCastleLoader Admin Panel\r\nMost CastleLoader C2 servers observed by Insikt Group provide both C2 functionality, primarily on port 80, and\r\nan admin panel, typically hosted on port 5050 and occasionally on port 9999. Figure 3 illustrates an example of a\r\nCastleLoader admin panel.\r\nFigure 3: CastleLoader C2 admin panel (Source: URLScan)\r\nCastleRAT\r\nBeyond CastleLoader and CastleBot, which have been previously reported on, Insikt Group has identified a new\r\nmalware family, dubbed CastleRAT, which is detailed further in the CastleRAT section. Insikt Group discovered\r\nboth C and Python variants of CastleRAT. Appendix B lists the CastleRAT C2 servers, typically exposed on ports\r\n80, 443, 7777, and occasionally on other ports. CastleRAT C2 servers have been observed across multiple ASNs,\r\nwith one particularly notable instance hosted on a Google Cloud IP address.\r\nSectopRAT\r\nInsikt Group identified at least seven SectopRAT C2 servers associated with TAG-150, six of which were accessed\r\nthrough TAG-150's higher-tier infrastructure (see Appendix B). The primary channels for C2 communication are\r\nTCP ports 15647, 15747, 15847, 15947, 14367, or 9000. In Appendix B, the first and last seen dates represent the\r\nhttps://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations\r\nPage 4 of 11\n\nearliest and latest instances in which these servers were observed communicating with TAG-150’s higher-tier\r\ninfrastructure. The IP address 92[.]255[.]57[.]32 has not been observed communicating with TAG-150’s higher-tier infrastructure; however, it is assessed to be associated with TAG-150 due to observed overlaps among victims.\r\nDuring analysis, Insikt Group also identified IP address 91[.]210[.]164[.]26, which is potentially linked to TAG-150 but has not been observed talking to TAG-150's higher-tier infrastructure.Notably, IP address\r\n176[.]126[.]163[.]56 hosts a self-signed transport layer security (TLS) certificate with the common name\r\nkrona186380. During analysis, Insikt Group also identified IP address 91[.]210[.]164[.]26 within the same ASN,\r\nwhich presented a similar self-signed TLS certificate with the common name krona184679. Although no samples\r\nor higher-tier infrastructure communications have been observed with this IP address, Insikt Group assesses it may\r\nbe linked to TAG-150 due to these similarities.\r\nDuring analysis, Insikt Group also identified IP address 91[.]210[.]164[.]26, which is potentially linked to TAG-150 but has not been observed talking to TAG-150's higher-tier infrastructure.\r\nWarmCookie\r\nInsikt Group identified at least one WarmCookie C2 server associated with TAG-150, as detailed in Appendix B.\r\nThis same IP address had previously been reported in connection with CastleLoader. The campaign IDs linked to\r\nthe observed WarmCookie samples were traffic1 and traffic2 . The SHA256 hash of the campaign ID is\r\nused to construct the CastleLoader GET request endpoint, which is suspected to be the prerequisite for retrieving\r\nthe correct follow-on payload(s).\r\nTier 2\r\nInsikt Group identified Tier 2 VPS servers likely functioning as intermediaries between victim-facing Tier 1\r\nservers and the Tier 3 infrastructure. Specifically, TAG-150 was observed accessing Tier 2 servers via RDP port\r\n3389 before subsequently connecting to Tier 1 servers over a variety of other ports. Connections were observed to\r\nCastleLoader, CastleRAT, SectopRAT, and WarmCookie, among others. Notably, in several instances, TAG-150\r\nbypassed Tier 2 entirely, connecting directly from the Tier 3 layer to Tier 1 servers. Insikt Group assesses this\r\nbehavior as either a shift in operational procedures by the same operators associated with TAG-150 or the result of\r\ndifferent operators employing alternative methods.\r\nTier 3\r\nTAG-150’s Tier 3 infrastructure appears to be split into two parts. On one side, Insikt Group identified a set of\r\nVPS servers all using the same TLS certificate, with one server standing out as the likely hub based on heavy\r\ntraffic and observed links to what’s assessed as Tier 4, which is discussed in the next section.\r\nSeparately, Insikt Group identified a Russian residential IP address assessed as Tier 3, which has been observed\r\ncommunicating with both Tier 2 and Tier 1 servers. The Russian IP address is announced by AS35807 (AS-SKYNET-SPB). This separation between VPS infrastructure and the residential IP address could signal the\r\npresence of a second operator tied to TAG-150. Of note, the Russian residential IP has been observed\r\nhttps://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations\r\nPage 5 of 11\n\ncommunicating regularly with Tox servers via the default user datagram protocol (UDP) port of 33445, suggesting\r\nthat TAG-150 leverages Tox for its internal communications.\r\nTier 4\r\nThe primary Tier 3 server has been observed communicating with another server, which Insikt Group assesses to\r\nbe a potential backup server, over a persistent high-port-to-high-port UDP session spanning several weeks. This\r\nserver is tracked as a Tier 4 server. The Tier 4 server is associated with an IP address announced by AS204601\r\n(ON-LINE-DATA), and in at least one instance, was observed communicating directly with a CastleLoader panel,\r\nan activity assessed as an operational security lapse.\r\nAdditionally, Insikt Group identified another set of servers likely part of Tier 4.\r\nServices Used by TAG-150\r\nThrough monitoring TAG-150’s activities using Recorded Future Network Intelligence and other sources, Insikt\r\nGroup has assessed that TAG-150 is highly likely leveraging a range of operational resources. These include the\r\nOxen network (formerly Lokinet), which provides infrastructure for privacy-focused applications such as secure\r\nmessaging platforms; Kleenscan (kleenscan[.]com), an alternative to the recently dismantled AVCheck; the file-sharing service temp[.]sh; the cryptocurrency exchange simpleswap[.]io; the file hosting service mega[.]nz; and,\r\nadditionally, Exploit Forum, which the group is also likely to use. Insikt Group has previously noted that\r\nfollowing AVCheck’s disruption, other cybercriminals, including Lumma affiliates, began using Kleenscan. In\r\nJune 2025, Insikt Group identified TAG-150 briefly interacting with a Matanbuchus Loader panel hosted on\r\n185[.]39[.]19[.]164.\r\nPayload Delivery Infrastructure\r\nInsikt Group discovered several payload delivery domains associated with CastleLoader, most of which are hosted\r\nbehind Cloudflare, with a single exception. All related indicators are provided in Appendix B.\r\nPotential Play Ransomware Activity\r\nDuring the investigation of TAG-150 activity, Insikt Group identified a French ISP IP that communicated with\r\nboth the CastleLoader panel on the IP address 107[.]158[.]128[.]45 and with a WarmCookie C2 server\r\n192[.]36[.]57[.]164. Of note, this WarmCookie C2 server was observed in network exfiltration involving an IP\r\naddress linked to a known Play Ransomware victim. Since the timing of the exfiltration coincides with the victim\r\norganization’s Play Ransomware compromise, Insikt Group assesses it is possible that Play Ransomware or one of\r\ntheir affiliates used CastleLoader.\r\nWhile Insikt Group did not find the full infection chain linking the specific WarmCookie and CastleLoader\r\ninstances, a WarmCookie sample with the same mutex was identified, which had been deployed via CastleLoader.\r\nThis finding increases the likelihood that the WarmCookie sample associated with 192[.]36[.]57[.]164 was also\r\ndeployed through CastleLoader, and may therefore be directly connected to 107[.]158[.]128[.]45.\r\nhttps://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations\r\nPage 6 of 11\n\nTo date, however, no public reporting has associated Play Ransomware with either WarmCookie or CastleLoader.\r\nIt therefore remains possible that the victim was targeted by multiple threat actors and that the WarmCookie\r\ninfection was unrelated to the Play Ransomware incident.\r\nCastleRAT is a RAT that includes C and Python variants sharing the following commonalities:\r\nCustom binary protocol using RC4 encryption with hard-coded 16-byte keys\r\nQueries the geolocation API ip-api[.]com to obtain location and other information through the infected\r\nhost’s public IP address\r\nDownload and execution of executables\r\nRemote shell\r\nThe C variant of CastleRAT also includes more advanced stealing capabilities, such as keylogging and screen\r\ncapturing. Both variants are in continual development. For example, C2 deaddrops hosted on Steam Community\r\npages is a new development, first observed in late August 2025 (see Figure 4).\r\nFigure 4: TAG-150’s CastleRAT using Steam Community for dead drop resolving (Source: Recorded Future)\r\nNotably, although CastleRAT has so far only been observed deployed alongside CastleLoader and its\r\ninfrastructure shows clear links to TAG-150, this does not necessarily indicate that CastleRAT was developed by\r\nthe same actor(s) behind CastleLoader; it remains possible that the malware was obtained elsewhere.\r\nCastleRAT Python Variant\r\nhttps://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations\r\nPage 7 of 11\n\nCastleRAT is a lightweight RAT first identified by Insikt Group in early August 2025 as a CastleLoader payload.\r\nNotably, this Python variant of the malware was publicly referenced in late August under the name PyNightshade,\r\nthough it remained otherwise undocumented.\r\nThe C variant of CastleRAT has yet to be publicly identified, but is flagged by numerous generic antivirus\r\ndetections not specifically linked to any malware family. It is therefore plausible that the Python variant of\r\nCastleRAT was designed with stealth in mind, as it currently exhibits zero or very few antivirus detections. The\r\nfollowing features have been implemented and unchanged since the CastleRAT Python variant was first observed\r\nin late July 2025:\r\nObtain and report country info of the public IP and system information\r\nGenerate ping/keep-alive messages every three seconds\r\nDownload and execute executables (EXEs) or dynamic-link libraries (DLLs)\r\nRun and report the output of cmd shell commands\r\nRun and report the output of PowerShell commands\r\nSelf-delete\r\nThe country information is retrieved from the well-known IP Geolocation service ip-api[.]com. The field’s status\r\nand country are queried (see Figure 5).\r\nFigure 5: CastleRAT Python variant request and response to Geolocation API service ip-api[.]com (Source:\r\nRecorded Future)\r\nThe Recorded Future Malware Intelligence query shown in Figure 6 can be used to hunt for CastleRAT Python\r\nvariants.\r\nInsikt Group assesses that the Python variant of CastleRAT remains under active development. Recent updates\r\nintroduced features such as encapsulating the binary protocol within WebSockets and leveraging Steam\r\nCommunity pages for C2 dead drops.\r\nCastleRAT C Variant\r\nhttps://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations\r\nPage 8 of 11\n\nThe C variant of CastleRAT incorporates significantly more functionality than the Python variant, which likely\r\nincreases its susceptibility to detection by generic antivirus solutions:\r\nObtain and report the country and other info of the public IP and system information\r\nGenerate ping/keep-alive messages every six seconds\r\nKeylogger\r\nClipper\r\nScreencapture\r\nFile Upload\r\nFile Download\r\nFind and terminate browser processes\r\nRun and report the output of shell commands\r\nRun and report the output of PowerShell commands\r\nRegister and un-register persistence\r\nExecute files via injection or masquerading as a browser\r\nC2 deaddrops via Steam Community pages\r\nAs with the Python variant, the C variant queries the widely abused IP geolocation service ip-api[.]com to collect\r\ninformation based on the infected host’s public IP address. However, the scope of data has been expanded to\r\ninclude the city, ZIP code, and indicators of whether the IP is associated with a VPN, proxy, or Tor node (see\r\nFigure 7).\r\nFigure 7: CastleRAT C variant request and response to Geolocation API service ip-api[.]com (Source: Recorded\r\nFuture)\r\nRecent versions of the C variant of CastleRAT have removed querying of the city and ZIP code from the ip-api[.]com output (see Figure 8).\r\nhttps://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations\r\nPage 9 of 11\n\nFigure 8: CastleRAT C variant request and response to Geolocation API service ip-api (Source: Recorded Future)\r\nThe Recorded Future Malware Intelligence query shown in Figure 9 can be used to hunt for CastleRAT C\r\nvariants.\r\nFigure 9: Recorded Future Malware Intelligence query to hunt for CastleRAT C variant (Source: Recorded\r\nFuture)\r\nCastleRAT C variant uses the following unique Mutex objects for synchronization:\r\nThickwick3\r\nfsAiodwsfSAFuiefS\r\nBabaiMazai\r\nsPEJIOGDsionsgfdUewg\r\nKolokolBozhii\r\nFkgfIJGgJgdiJGDGHDjMGjia\r\nsdgiregdsssaFWIFS\r\nfsAiodwsfSAFuiefS2\r\nGoldVekRogerS\r\nXmGetzKAM8Bw8NCBTUYo5e\r\nIt is uncertain whether the Python variant will be updated to incorporate the data-stealing features of the C variant,\r\nas well as what additional capabilities the developers may introduce for detection evasion.\r\nVictimology\r\nInsikt Group identified numerous suspected victim IP addresses communicating with the Tier 1 C2 infrastructure\r\nassociated with TAG-150’s various malware families. While the majority of these IP addresses appear to be\r\ngeolocated in the United States, only a limited number of actual victims could be positively identified. Most\r\nvictims remain unidentified and cannot be confirmed; however, Insikt Group assesses it is likely that at least some\r\nof them represent private individuals who became infected.\r\nhttps://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations\r\nPage 10 of 11\n\nMitigations\r\nLeverage the IoCs in Appendix A to investigate potential past or ongoing infections, both successful and\r\nattempted, and use the Recorded Future Intelligence Cloud to monitor for future IoCs associated with\r\nTAG-150 and other threat actors.\r\nLeverage Sigma, YARA, and Snort rules provided in Appendices C, D, and E in your SIEM or endpoint\r\ndetection and response (EDR) tools to detect the presence or execution of CastleLoader and CastleRAT. In\r\naddition, use other detection rules available in the Recorded Future Intelligence Cloud.\r\nUse Recorded Future Network Intelligence to detect instances of data exfiltration from your corporate\r\ninfrastructure to known malicious infrastructure. This can be achieved by employing specific queries and\r\nfiltering the results based on your assets.\r\nUse the Recorded Future Intelligence Cloud to monitor TAG-150, other threat actors, and the broader\r\ncybercriminal ecosystem, ensuring visibility into the latest TTPs, preferred tools and services (for example,\r\nspecific TAEs used by threat actors), and emerging developments.\r\nOutlook\r\nInsikt Group assesses that TAG-150 will continue to evolve its tooling at a rapid pace, with a particular emphasis\r\non stealth and evasion. TAG-150 has already demonstrated technical sophistication and adaptability and Insikt\r\nGroup anticipates it will further experiment with anti-detection services and techniques to remain resilient against\r\ndefensive measures.\r\nGiven its history of deploying multiple likely self-developed malware families, including CastleLoader, CastleBot,\r\nand now CastleRAT, TAG-150 is highly likely to develop and release additional malware in the near term. Insikt\r\nGroup also assesses that there is a strong possibility that the group will expand its distribution efforts, whether to\r\nincrease victim reach or potentially operate in a MaaS capacity.\r\nInsikt Group will continue to closely monitor TAG-150’s infrastructure, tool development, and activity across\r\nunderground forums to track emerging threats and assess the group’s trajectory.\r\nSource: https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations\r\nhttps://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations"
	],
	"report_names": [
		"from-castleloader-to-castlerat-tag-150-advances-operations"
	],
	"threat_actors": [
		{
			"id": "8a13b9be-e36d-4d48-9d19-5c93a62f862f",
			"created_at": "2026-03-08T02:00:03.472285Z",
			"updated_at": "2026-04-10T02:00:03.982274Z",
			"deleted_at": null,
			"main_name": "GrayBravo",
			"aliases": [
				"TAG-150"
			],
			"source_name": "MISPGALAXY:GrayBravo",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d9b39228-0d9d-4c1e-8e39-2de986120060",
			"created_at": "2023-01-06T13:46:39.293127Z",
			"updated_at": "2026-04-10T02:00:03.277123Z",
			"deleted_at": null,
			"main_name": "BelialDemon",
			"aliases": [
				"Matanbuchus"
			],
			"source_name": "MISPGALAXY:BelialDemon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434386,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d3ab06012533c4c254aa8f04cc3ececea7c9d325.pdf",
		"text": "https://archive.orkl.eu/d3ab06012533c4c254aa8f04cc3ececea7c9d325.txt",
		"img": "https://archive.orkl.eu/d3ab06012533c4c254aa8f04cc3ececea7c9d325.jpg"
	}
}