{ "id": "126a794b-6a2c-4677-a5d1-286ed8a88588", "created_at": "2026-04-06T03:35:40.72808Z", "updated_at": "2026-04-10T03:38:03.469939Z", "deleted_at": null, "sha1_hash": "e4758afc1dca048cf946c22d15afaa9ca3cef7c0", "title": "Operation Molerats: Middle East Cyber Attacks Using Poison Ivy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1325929, "plain_text": "Operation Molerats: Middle East Cyber Attacks Using Poison Ivy\r\nBy by Nart Villeneuve, Thoufique Haq, Ned Moran\r\nPublished: 2013-08-23 · Archived: 2026-04-06 03:23:52 UTC\r\nDon't be too hasty to link every Poison Ivy-based cyber attack to China. The popular remote access tool (RAT), which we\r\nrecently detailed on this blog, is being used in a broad campaign of attacks launched from the Middle East, too.\r\nFirst, some background:\r\nIn October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off\r\nInternet access for its entire police force and banned the use of USB memory sticks. [1] Security researchers subsequently\r\nlinked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. [2] — and as\r\ndiscovered later, even the U.S. and UK governments. [3] Further research revealed a connection between these attacks and\r\nmembers of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.” \r\nThreat actors in specific geographic regions may prefer one RAT to another, but many RATs are publicly available and used\r\nby a variety of threat actors, including those involved in malware-based espionage.\r\nIn 2012, the Molerats attacks appeared to rely heavily on the XtremeRAT, a freely available tool that is popular with\r\nattackers based in the Middle East. [5] But the group has also used Poison Ivy (PIVY), a RAT more commonly associated\r\nwith threat actors in China [6] — so much so that PIVY has, inaccurately, become synonymous with all APT attacks linked\r\nto China.\r\nThis blog post analyzes several recent Molerats attacks that deployed PIVY against targets in the Middle East and in the\r\nU.S. We also examine additional PIVY attacks that leverage Arabic-language content related to the ongoing crisis in Egypt\r\nand the wider Middle East to lure targets into opening malicious files. [7]\r\nEnter Poison Ivy\r\nWe observed several attacks in June and July 2013 against targets in the Middle East and the U.S. that dropped a PIVY\r\npayload that connected to command-and-control (CnC) infrastructure used by the Molerats attackers.\r\nhttps://web.archive.org/web/20201031075438/https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html\r\nPage 1 of 13\n\nThe malware sample we analyzed was unusual for two reasons:\r\nIt referenced an article that was published last year\r\nThe compile time for the dropped binary was also dated from last year, seemingly consistent with the referenced\r\narticle. But this malware was signed, and — in contrast to the compile time, which can be faked — the signing time\r\non its certificate was much more recent: Monday, July 08, 2013 1:45:10 A.M.\r\nHere are the file details:\r\nHamas shoot down Israeli F-16 fighter jet by modern weapon in Gaza sea.doc- - - - - - - - - - - -.scr\r\nMD5: 7084f3a2d63a16a191b7fcb2b19f0e0d\r\nThis malware was signed with a forged Microsoft certificate similar to previous XtremeRat samples. But the serial number\r\n(which is often reused by attackers, enabling FireEye researchers to link individual attacks, including those by the Molerats)\r\nis different this time.\r\nThe malware dropped an instance of PIVY with the following configuration:\r\nID: F16 08-07-2013\r\nGroup:\r\nDNS/Port: Direct: toornt.servegame.com:443,\r\nProxy DNS/Port:\r\nProxy Hijack: No\r\nActiveX Startup Key:\r\nHKLM Startup Entry:\r\nFile Name:\r\nhttps://web.archive.org/web/20201031075438/https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html\r\nPage 2 of 13\n\nInstall Path: C:\\Documents and Settings\\Admin\\Local Settings\\Temp\\morse.exe\r\nKeylog Path: C:\\Documents and Settings\\Admin\\Local Settings\\Temp\\morse\r\nInject: No\r\nProcess Mutex: gdfgdfgdg\r\nKey Logger Mutex:\r\nActiveX Startup: No\r\nHKLM Startup: No\r\nCopy To: No\r\nMelt: No\r\nPersistence: No\r\nKeylogger: No\r\nPassword: !@#GooD#@!\r\nWe collected additional PIVY samples that had the same password or linked to CnC infrastructure at a common IP address\r\n(or both). We observed three PIVY passwords (another potential identifier) used in the attacks: “!@#GooD#@!”,\r\n“!@#Goood#@!” and “admin100”.\r\nAdditional Samples with Middle Eastern Themes\r\nWe also found a PIVY sample used by this group that leveraged what are known as key files instead of passwords. The\r\nPIVY builder allows operators to load .pik files containing a key to secure communications between the compromised\r\ncomputer and the attacker's machine. By default, PIVY secures these communications with the ascii text password of\r\n\"admin\" — when the same non-default password appears in multiple attacks, researchers can conclude that the attacks are\r\nrelated.\r\nThe PIVY sample in question had an MD5 hash of 9dff139bbbe476770294fb86f4e156ac and communicated with a CnC\r\nserver at toornt.servegame.com over port 443. The key file used to secure communications contained the following ascii\r\nstring ‘Password (256 bits):\\x0d\\x0aA9612889F6’ (where \\x0d\\x0a represents a line break).\r\nhttps://web.archive.org/web/20201031075438/https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html\r\nPage 3 of 13\n\nThe 9dff139bbbe476770294fb86f4e156ac sample dropped a decoy document in Arabic that included a transcript of an\r\ninterview with Salam Fayyad, the former Prime Minister of the Palestinian National Authority.\r\nThe sample 16346b95e6deef9da7fe796c31b9dec4 was also seen communicating with toornt.servegame.com over port 443.\r\nThis sample appears to have been delivered to its targets via a link to a RAR archive labeled Ramadan.rar\r\n(fc554a0ad7cf9d4f47ec4f297dbde375) hosted at the Dropbox file-sharing website.\r\nhttps://web.archive.org/web/20201031075438/https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html\r\nPage 4 of 13\n\nThe sample a8714aac274a18f1724d9702d40030bf dropped a decoy document in Arabic that contained a biography of\r\nGeneral Adbel Fattah el-Sisi – the Commander-in-Chief of the Egyptian Armed Forces.\r\nhttps://web.archive.org/web/20201031075438/https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html\r\nPage 5 of 13\n\nA recent sample (d9a7c4a100cfefef995785f707be895c) used protests in Egypt to entice recipients to open a malicious file.\r\nhttps://web.archive.org/web/20201031075438/https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html\r\nPage 6 of 13\n\nAnother sample (b0a9abc76a2b4335074a13939c59bfc9) contained a decoy with a grim picture of Fadel Al Radfani, who\r\nwas the adviser to the defense minister of Yemen before he was assassinated.\r\nAlthough we are seeing Egyptian- and Middle Eastern-themed attacks using decoy content in Arabic, we cannot determine\r\nthe intended targets of all of these attacks.\r\nDelivery Vector\r\nWe believe that the Molerats attacker uses spear phishing to deliver weaponized RAR files containing their malicious\r\npayloads to their victims in at least two different ways. The Molerats actor will in some cases attach the weaponized RAR\r\nfile directly to their spear- phishing-emails. We also believe that this actor sends spear-phishing emails that include links to\r\nRAR files hosted on third-party platforms such as Dropbox.\r\nIn one such example we found the following link was used to host Ramadan.rar (fc554a0ad7cf9d4f47ec4f297dbde375):\r\nhxxps://dl[.]dropboxusercontent[.]com/s/uiod7orcpykx2g8/Ramadan.rar?token_hash=AAHAVuiXpTkOKwar9e0WH-EfrK7PEB9O7t7WC6Tgtn315w\u0026dl=1\r\nCnC Infrastructure\r\nWe have found 15 PIVY samples that can be linked through common passwords, common CnC domain names, and common\r\nIP addresses to which the CnC domains resolve. The CnC servers for this cluster of activity are:\r\ntoornt.servegame.com\r\nupdateo.servegame.com\r\negypttv.sytes.net\r\nskype.servemp3.com\r\nnatco2.no-ip.net\r\nhttps://web.archive.org/web/20201031075438/https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html\r\nPage 7 of 13\n\nTwo of the domain names (natco2.no-ip.net and skype.servemp3.com) that were used as CnCs for PIVY were both\r\ndocumented as XtremeRat CnCs that were used in previous attacks. [8]\r\nWe focused on these domains and their IP addresses — which they had in common with toornt.servegame.com. In addition,\r\nwe added the well-known CnCs good.zapto.org and hint.zapto.org used in previously documented attacks.\r\nBy observing changes in DNS resolution that occurred within the same timeframe, we were able to ensure that the passive\r\nDNS data we collected was the same. Interestingly, we also found that the domains often shifted to a new IP address over\r\ntime.\r\nCnC Date IP\r\ntoornt.servegame.comnatco2.no-ip.netskype.servemp3.comgood.zapto.orghint.zapto.org\r\ntoornt.servegame.comnatco2.no-ip.netskype.servemp3.comgood.zapto.orghint.zapto.org\r\n2013-\r\n07-10\r\n22:06:56\r\n2013-\r\n07-10\r\n22:05:31\r\n2013-\r\n07-10\r\n23:45:46\r\n2013-\r\n07-10\r\n23:48:41\r\n2013-\r\n07-10\r\n23:48:41\r\n2013-\r\n07-10\r\n22:06:56\r\n2013-\r\n07-10\r\n209.200.39.48\r\n209.200.39.48\r\nhttps://web.archive.org/web/20201031075438/https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html\r\nPage 8 of 13\n\n22:05:31\r\n2013-\r\n07-10\r\n23:45:46\r\n2013-\r\n07-10\r\n23:48:41\r\n2013-\r\n07-10\r\n23:48:41\r\ntoornt.servegame.comnatco2.no-ip.netskype.servemp3.comgood.zapto.orghint.zapto.org\r\ntoornt.servegame.comnatco2.no-ip.netskype.servemp3.comgood.zapto.orghint.zapto.org\r\n2013-\r\n07-16\r\n09:14:30\r\n2013-\r\n07-16\r\n11:33:21\r\n2013-\r\n07-16\r\n12:47:59\r\n2013-\r\n07-16\r\n12:50:51\r\n2013-\r\n07-16\r\n12:50:51\r\n2013-\r\n07-16\r\n09:14:30\r\n2013-\r\n07-16\r\n11:33:21\r\n2013-\r\n07-16\r\n12:47:59\r\n2013-\r\n07-16\r\n12:50:51\r\n2013-\r\n07-16\r\n12:50:51\r\n209.200.39.88\r\n209.200.39.88\r\ntoornt.servegame.comnatco2.no-ip.nethint.zapto.org toornt.servegame.comnatco2.no-ip.nethint.zapto.org2013-\r\n07-21\r\n15:00:38\r\n2013-\r\n07-21\r\n15:28:43\r\n2013-\r\n173.225.126.16\r\n173.225.126.16\r\nhttps://web.archive.org/web/20201031075438/https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html\r\nPage 9 of 13\n\n07-21\r\n16:31:07\r\n2013-\r\n07-21\r\n15:00:38\r\n2013-\r\n07-21\r\n15:28:43\r\n2013-\r\n07-21\r\n16:31:07\r\ntoornt.servegame.comnatco2.no-ip.net toornt.servegame.comnatco2.no-ip.net\r\n2013-\r\n07-21\r\n22:06:19\r\n2013-\r\n07-21\r\n22:04:49\r\n2013-\r\n07-21\r\n22:06:19\r\n2013-\r\n07-21\r\n22:04:49\r\n173.225.126.10\r\n173.225.126.10\r\ntoornt.servegame.comnatco2.no-ip.netskype.servemp3.comgood.zapto.orghint.zapto.org\r\ntoornt.servegame.comnatco2.no-ip.netskype.servemp3.comgood.zapto.orghint.zapto.org\r\n2013-\r\n07-29\r\n15:38:21\r\n2013-\r\n07-29\r\n15:35:52\r\n2013-\r\n07-29\r\n16:46:35\r\n2013-\r\n07-29\r\n16:49:27\r\n2013-\r\n07-29\r\n16:49:27\r\n2013-\r\n07-29\r\n15:38:21\r\n2013-\r\n07-29\r\n15:35:52\r\n2013-\r\n07-29\r\n16:46:35\r\n209.200.39.220\r\n209.200.39.220\r\nhttps://web.archive.org/web/20201031075438/https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html\r\nPage 10 of 13\n\n2013-\r\n07-29\r\n16:49:27\r\n2013-\r\n07-29\r\n16:49:27\r\nnatco2.no-ip.netgood.zapto.orghint.zapto.orgtoornt.servegame.comomagle.serveblog.netskype.servemp3.com\r\nnatco2.no-ip.netgood.zapto.orghint.zapto.orgtoornt.servegame.comomagle.serveblog.netskype.servemp3.com\r\n2013-\r\n07-10\r\n22:05:31\r\n2013-\r\n07-10\r\n22:06:35\r\n2013-\r\n07-10\r\n22:06:37\r\n2013-\r\n07-10\r\n22:06:56\r\n2013-\r\n07-10\r\n22:19:03\r\n2013-\r\n07-10\r\n22:19:31\r\n2013-\r\n07-10\r\n22:05:31\r\n2013-\r\n07-10\r\n22:06:35\r\n2013-\r\n07-10\r\n22:06:37\r\n2013-\r\n07-10\r\n22:06:56\r\n2013-\r\n07-10\r\n22:19:03\r\n2013-\r\n07-10\r\n22:19:31\r\n209.200.39.48\r\n209.200.39.48\r\negypttv.sytes.nettoornt.servegame.com egypttv.sytes.nettoornt.servegame.com 2013-\r\n08-10\r\n14:07:38\r\n2013-\r\n08-10\r\n173.225.126.17\r\n173.225.126.17\r\nhttps://web.archive.org/web/20201031075438/https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html\r\nPage 11 of 13\n\n14:08:43\r\n2013-\r\n08-10\r\n14:07:38\r\n2013-\r\n08-10\r\n14:08:43\r\nOne interesting discovery concerns a sample (5b740b4623b2d1049c0036a6aae684b0) that was first seen by VirusTotal on\r\nSeptember 14, 2012. This date is within the timeframe of the original XtremeRat attacks, but the payload in this case was\r\nPIVY. This indicates that the attackers have been using PIVY in addition to XtremeRat for longer than we had originally\r\nbelieved.\r\nConclusion\r\nWe do not know whether using PIVY is an attempt by those behind the Molerats campaign to frame China-based threat\r\nactors for their attacks or simply evidence that they have added another effective, publicly-available RAT to its arsenal. But\r\nthis development should raise a warning flag for anyone tempted to automatically attribute all PIVY attacks to threat actors\r\nbased in China. The ubiquity of off-the-shelf RATs makes determining those responsible an increasing challenge.\r\nThe ongoing attacks are also heavily leveraging content in Arabic that uses conflicts in Egypt and the wider Middle East to\r\nlure targets into opening malicious files. But we have no further information about the exact targets of these Arabic lures.\r\nAs events on the ground in the Middle East — and in Egypt in particular — receive international attention, we expect the\r\nMolerat operators to continue leveraging these headlines to catalyze their operations.\r\nNotes\r\n1. http://www.timesofisrael.com/how-israel-police-computers-were-hacked-the-inside-story/\r\nhttp://www.haaretz.com/blogs/diplomania/israel-s-foreign-ministry-targeted-by-computer-virus-bearing-idf-chief-s-name.premium-1.472278\r\n2. http://download01.norman.no/whitepapers/Cyberattack_against_Israeli_and_Palestinian_targets.pdf\r\n3. http://blog.trendmicro.com/trendlabs-security-intelligence/new-xtreme-rat-attacks-on-usisrael-and-other-foreign-governments/\r\n4. http://blog.trendmicro.com/trendlabs-security-intelligence/new-xtreme-rat-attacks-on-usisrael-and-other-foreign-governments/\r\n5. http://blog.trendmicro.com/trendlabs-security-intelligence/new-xtreme-rat-attacks-on-usisrael-and-other-foreign-governments/\r\n6. /content/dam/legacy/resources/pdfs/fireeye-poison-ivy-report.pdf\r\n7. The Molerats group also uses addition RATs such as XtremeRat, Cerberus, Cybergate, but we have focused on their used\r\nof PIVY in this blog.\r\n8. http://download01.norman.no/whitepapers/Cyberattack_against_Israeli_and_Palestinian_targets.pdf\r\nYara Signature\r\nThis Yara signature can be used to locate signed samples that have the new certificate serial numbers used by Molerats.\r\nrule Molerats_certs\r\nhttps://web.archive.org/web/20201031075438/https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html\r\nPage 12 of 13\n\n{\r\nmeta:\r\nauthor = “FireEye Labs”\r\ndescription = “this rule detections code signed with certificates used by the Molerats actor”\r\nstrings:\r\n$cert1 = {06 50 11 A5 BC BF 83 C0 93 28 16 5E 7E 85 27 75}\r\n$cert2 = {03 e1 e1 aa a5 bc a1 9f ba 8c 42 05 8b 4a bf 28}\r\n$cert3 = {0c c0 35 9c 9c 3c da 00 d7 e9 da 2d c6 ba 7b 6d}\r\ncondition:\r\n1 of ($cert*)\r\n}\r\nSamples\r\n9dff139bbbe476770294fb86f4e156ac\r\n6350d1039742b87b7917a5e26de2c25c\r\nb0a9abc76a2b4335074a13939c59bfc9\r\n5b740b4623b2d1049c0036a6aae684b0\r\n9dff139bbbe476770294fb86f4e156ac\r\ncf31aea415e7013e85d1687a1c0f5daa\r\n973b5f2a5608d243e7305ee4f9249302\r\ne85fc76362c2e9dc7329fddda8acc89e\r\nb05603938a888018d4dcdc551c4be8ac\r\n7084f3a2d63a16a191b7fcb2b19f0e0d\r\n16346b95e6deef9da7fe796c31b9dec4\r\na8714aac274a18f1724d9702d40030bf\r\nd9a7c4a100cfefef995785f707be895c\r\n9ef9a631160b96322010a5238defc673\r\na60873e364a01870b2010518d05a62df\r\nSource: https://web.archive.org/web/20201031075438/https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html\r\nhttps://web.archive.org/web/20201031075438/https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html\r\nPage 13 of 13\n\n 07-16 12:50:51\ntoornt.servegame.comnatco2.no-ip.nethint.zapto.org toornt.servegame.comnatco2.no\u0002 2013-173.225.126.16\nip.nethint.zapto.org 07-21 173.225.126.16\n 15:00:38\n 2013-\n 07-21\n 15:28:43\n 2013-\n Page 9 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20201031075438/https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html" ], "report_names": [ "operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446540, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e4758afc1dca048cf946c22d15afaa9ca3cef7c0.pdf", "text": "https://archive.orkl.eu/e4758afc1dca048cf946c22d15afaa9ca3cef7c0.txt", "img": "https://archive.orkl.eu/e4758afc1dca048cf946c22d15afaa9ca3cef7c0.jpg" } }