{ "id": "f6b4de04-39fd-43db-b744-f3dd3df2e16f", "created_at": "2026-04-06T00:22:02.653Z", "updated_at": "2026-04-10T03:34:27.89003Z", "deleted_at": null, "sha1_hash": "ee9ef33464b87e53e9f8406fc537f089694f8656", "title": "Derailing the Raptor Train", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 94528, "plain_text": "Derailing the Raptor Train\r\nBy By Black Lotus Labs\r\nArchived: 2026-04-05 20:09:26 UTC\r\nPublished on Sep 18, 2024 | 8 minute read\r\nExecutive summary\r\nIn mid-2023, Black Lotus Labs began an investigation into compromised routers that led to the discovery of a\r\nlarge, multi-tiered botnet consisting of small office/home office (SOHO) and IoT devices that we assess is likely\r\noperated by the nation-state Chinese threat actors known as Flax Typhoon. We call this botnet “Raptor Train,” and\r\nit has been over four years in the making.\r\nAt its peak in June 2023, the Raptor Train botnet consisted of over 60,000 actively compromised devices. Since\r\nthat time, there have been more than 200,000 SOHO routers, NVR/DVR devices, network attached storage (NAS)\r\nservers, and IP cameras; all conscripted into the Raptor Train botnet, making it one of the largest Chinese state-sponsored IoT botnets discovered to-date. In fact, a command and control (C2) domain in the most recent\r\ncampaign cracked both the Cloudflare Radar and Cisco Umbrella “top 1 million” popularity lists. Based on the\r\nrecent scale of device exploitation, we suspect hundreds of thousands of devices have been entangled by this\r\nnetwork since its formation in May 2020.\r\nThe botnet operators manage this large and varied network through a series of distributed payload and C2 servers,\r\na centralized Node.js backend, and a cross-platform Electron application front-end that the actors have dubbed\r\n“Sparrow.” This is a robust, enterprise-grade control system used to manage upwards of 60 C2 servers and their\r\ninfected nodes at any given time. This service enables an entire suite of activities, including scalable exploitation\r\nof bots, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and\r\ndownloads, remote command execution, and the ability to tailor IoT-based distributed denial of service (DDoS)\r\nattacks at-scale. The botnet operators can automate certain tasks for the C2 network and allow for the steady\r\ncollection of logs and bot information to increase the operators’ situational awareness. Using an advanced control\r\nsystem frees up time for hands-on exploitation, streamlines the management process and allows more threat actors\r\nto contribute to operations.\r\nWhile Black Lotus Labs has yet to see any DDoS attacks originating from Raptor Train, we suspect this is an\r\nability the China-based operators preserve for future use. Black Lotus Labs has discovered activity from this\r\nnetwork targeting U.S. and Taiwanese entities in the military, government, higher education, telecommunications,\r\ndefense industrial base (DIB) and information technology (IT) sectors. In addition, possible exploitation attempts\r\nagainst Atlassian Confluence servers and Ivanti Connect Secure appliances have sprung from nodes associated\r\nwith this botnet.\r\nWe will break down this large, complex botnet into two parts – this blog and a longer, downloadable report. Here\r\nwe will walk through a high-level overview of the network architecture of Raptor Train, describe exploitation\r\nhttps://blog.lumen.com/derailing-the-raptor-train/\r\nPage 1 of 8\n\ncampaigns, add a brief analysis of the C2 controller software, and conclude with the potential operational use of\r\nthis network, based on our visibility. For the malware analysis, extended details of each campaign and full scope\r\nof research into this four-year operation, please download the full Raptor Train report.\r\nLumen Technologies would like to commend the FBI and DOJ for their efforts in countering Chinese cyber\r\nactivity against U.S. critical infrastructure. Lumen Technologies shared threat intelligence to warn agencies across\r\nthe U.S. Government of the emerging risks that could impact our nation’s strategic assets. In addition, we have\r\nnull-routed traffic to the known points of infrastructure used by the Raptor Train operators including their\r\ndistributed botnet management, C2, payload and exploitation infrastructure.\r\nTechnical details\r\nThe Raptor Train botnet is a complex, multi-tiered network that has been evolving over the last four years. Black\r\nLotus Labs has observed at least three tiers of activity, and several categories within each tier. During operations,\r\nbot tasks are initiated from Tier 3 “Sparrow” management nodes, which are then routed through the appropriate\r\nTier 2 C2s and then sent to the bots themselves in Tier 1. Like the base of a pyramid, the first tier is the largest in\r\nsize, while Tiers 2 and 3 form the control, exploitation and management segments. Each tier has varying\r\nlifecycles, some due to the nature and use of the physical device as with Tier 1, where bots last an average of 17\r\ndays. Most Tier 2 and Teir 3 nodes are procured Virtual Private Servers (VPSs) allowing them to have greater\r\nlongevity averaging around 77 days. The Tier 2 VPSs are located throughout the world, while Tier 3 servers are\r\nlargely based in Hong Kong or the PRC.\r\nThe primary implant seen on most of the Tier 1 nodes, which Black Lotus Labs calls “Nosedive”, is a custom\r\nvariation of the Mirai implant that is supported on all major SOHO and IoT architectures (e.g. MIPS, ARM,\r\nSuperH, PowerPC, etc.). Nosedive implants are typically deployed from Tier 2 payload servers through a unique\r\nURL encoding scheme and domain injection method. Nosedive droppers use this method to request payloads for\r\nspecific C2s by encoding the requested C2 domain and joining it with a unique “key” that identifies the bot and\r\nthe target architecture of the compromised device (e.g. MIPS, ARM, etc.), which is then injected into the\r\nNosedive implant payload that is deployed to the Tier 1 node. Once deployed, Nosedive runs in-memory only and\r\nallows the operators to execute commands, upload and download files, and run DDoS attacks on compromised\r\ndevices.\r\nAll samples Black Lotus Labs found of Nosedive and its associated droppers were memory-resident only and\r\ndeleted from disk. This, in addition to anti-forensics techniques employed on these devices including the\r\nobfuscation of running process names, compromising devices through a multi-stage infection chain, and killing\r\nremote management processes, makes detection and forensics much more difficult.\r\nThe breakdown of the Raptor Train network by tier is as follows:\r\nTier 1\r\nCompromised SOHO/IoT devices\r\nTier 2\r\nExploitation servers\r\nPayload servers\r\nhttps://blog.lumen.com/derailing-the-raptor-train/\r\nPage 2 of 8\n\nC2 servers\r\nTier 3\r\nManagement nodes\r\n“Sparrow” nodes\r\nNetwork architecture\r\nTier 1\r\nThis tier consists of the compromised SOHO and IoT devices, including modems, routers, IP cameras, NVR/DVR\r\ndevices, and NAS devices. The operators are likely exploiting more than 20 different device types with both 0-day\r\nand n-day (known) vulnerabilities for inclusion as Tier 1 nodes. These include, but may not be limited to, the\r\nfollowing:\r\nModems/Routers\r\nActionTec PK5000\r\nASUS RT-*/GT-*/ZenWifi\r\nTP-LINK\r\nDrayTek Vigor\r\nTenda Wireless\r\nRuijie\r\nZyxel USG*\r\nRuckus Wireless\r\nVNPT iGate\r\nMikrotik\r\nTOTOLINK\r\nIP Cameras\r\nD-LINK DCS-*\r\nHikvision\r\nMobotix\r\nNUUO\r\nAXIS\r\nPanasonic\r\nNVR/DVR\r\nShenzhen TVT NVRs/DVRs\r\nNAS\r\nQNAP (TS Series)\r\nFujitsu\r\nSynology\r\nZyxel\r\nThe number of active Tier 1 nodes is constantly fluctuating; tens of thousands of actively compromised devices\r\ncheck into the Tier 2 C2 servers at any given time. The average lifespan of an active Tier 1 node (compromised\r\ndevice) is approximately 17 days and most of the Nosedive implants do not have a method of persistence, which is\r\nhttps://blog.lumen.com/derailing-the-raptor-train/\r\nPage 3 of 8\n\na sign the operators are not concerned with the regular rotation of compromised devices. The massive scale of\r\nvulnerable devices on the internet allows the actors to forgo persistence mechanisms and regularly exploit new\r\ndevices to meet operational needs.\r\nTier 2\r\nThis tier consists of procured, dedicated virtual servers and serves as the C2, exploitation and payload delivery\r\nframework to the Tier 1 nodes. The payload servers can be further broken down into two types: first stage and\r\nsecond stage. The more generic “first-stage” payload servers are longer-running and provide the payload retrieval\r\ncapability for most of the compromised Tier 1 nodes. The “second stage” servers often host their payloads on\r\nhigh, random ephemeral ports (e.g. 32123, 38525, etc.) and are used in multi-stage droppers. We have observed\r\nthese “second stage” payload servers in more targeted efforts against specific device types, possibly to better\r\nobfuscate 0-day vulnerabilities in the target devices.\r\nThe C2 servers in Tier 2 receive the callbacks from compromised devices in Tier 1 over port 443. A signature\r\nfeature of the Tier 2 C2 servers is the exposed C2 port, 443, with a TLS certificate displaying a random\r\nalphanumeric domain in the subject and issuer fields, as seen below:\r\nThe Tier 2 C2 nodes are most often managed by Tier 3 management nodes over port 34125, which has its own\r\nunique TLS certificate. The growth of Tier 2 C2 nodes has been significant over the past four years. For example,\r\nBlack Lotus Labs tracked approximately 1-5 C2 nodes between 2020 and 2022, 11 C2 nodes in mid-2023, 30 C2\r\nnodes between February 2024 and March 2024, and upwards of 60 C2 nodes between June 2024 and August\r\n2024. Each time we identified a growth in C2 nodes, we observed an increase in Tier 1 nodes (bots).\r\nTier 3\r\nTier 3 is the management tier of the botnet. The botnet operators can manually manage Tier 2 nodes via SSH over\r\nport 22 from the Tier 3 nodes and, for the Tier 2 C2 nodes specifically, automatically via TLS connections over\r\nport 34125. These management nodes relay commands and collect data for the Sparrow controller.\r\nFor manual Tier 2 management, the Tier 3 nodes were observed with sustained sessions to Tier 2 nodes over SSH\r\nport 22 exclusively during Chinese working hours, Monday through Friday:\r\nIn addition, Tier 3 nodes were found with consistent, recurring connections over TLS over port 34125. These\r\nconnections are part of the Sparrow C2 controller process where the Tier 3 management nodes are regularly\r\ncollecting logs and bot information and issuing commands to the C2s that originate from the Sparrow front-end\r\ncontroller. In contrast to the manual management over port 22, the Sparrow connections over port 34125 are more\r\nregular and consistent at all hours of the day, every day of the week:\r\nThe Sparrow controller falls into another set of Tier 3 management nodes that we call “Sparrow” nodes. The\r\nSparrow nodes provide the front-end (web interface), backend (database) and auxiliary functions (e.g.\r\npayload/exploit generator) needed for management and continued growth of the expansive Raptor Train network.\r\nThe primary Sparrow web interface is named “节点综合控制工具v1.0.7” which translates to “Node\r\nComprehensive Control Tool v1.0.7” (NCCT). The botnet operators named this NCCT management application\r\n“Sparrow,” and it is a full-featured, scalable botnet controller in the form of a cross-platform Electron application.\r\nhttps://blog.lumen.com/derailing-the-raptor-train/\r\nPage 4 of 8\n\nSparrow provides a permission-based management system enabling a team of botnet operators to execute\r\ncommands, upload or download files, collect data on or run DDoS attacks on compromised devices. The operators\r\ncan also manage and control a broad set of exploits, vulnerabilities, distributed C2 servers, and infected nodes\r\nfrom a central platform.\r\nBlack Lotus Labs identified another Tier 3 Sparrow management node we call “Condor.” Condor is a web service\r\nbuilt to enable an array of vulnerability exploitation elements of the botnet including payload generation, exploit\r\nattempts, verification, and logging. Condor assists in the discovery of new vulnerabilities (e.g. 0-days), verifying\r\nactive payloads and testing exploits.\r\nMore details on the multi-tiered network architecture, malware analysis (including Nosedive and its various\r\ndroppers) and management infrastructure capabilities (including Sparrow and Condor) can be found in the full\r\nRaptor Train report here.\r\nCampaign overview\r\nThe Raptor Train botnet has been constantly evolving since mid-2020. The initial campaign, Crossbill, began with\r\na single C2 callback and 4 subdomains. By the middle of the botnet’s lifecycle, the naming scheme of the C2\r\ndomains had shifted to include random alphanumeric subdomains, which led to a diversified and expanded Tier 2\r\ninfrastructure and the introduction of a unique URL encoding scheme. While some of the naming patterns and\r\neven certificates were repeated, each campaign showed distinctions in size, targeting, or rotating C2 root domains.\r\nBlack Lotus Labs has detected several bands of effort since Raptor Train’s inception over four years ago, and has\r\ndivided them into four campaigns: Crossbill, Finch, Canary and Oriole.\r\nCrossbill campaign (May 2020 to April 2022)\r\nThe earliest identified campaign began in May 2020. During this campaign, the operators deployed the very first\r\niteration of the Mirai-based, customized implant we call Nosedive on compromised devices. Initially, the root\r\ndomain k3121.com was used as the sole C2 domain, but by mid-2021, the operators began using encoded random\r\nalphanumeric C2 subdomains (e.g. wsxe.k3121.com, dfgh.k3121.com, etc.).\r\nFinch campaign (July 2022 to June 2023)\r\nThe Finch campaign began in July 2022 and is signified by the root domain b2047.com. Despite the campaign not\r\nstarting until July 2022, the b2047.com domain was first registered in September 2019 and resolved to parked\r\nAlibaba Cloud IP space. It is possible the preparation phase of the Raptor Train botnet was already underway by\r\nlate 2019.\r\nThe C2 subdomains of b2047.com followed a similar format to those in the Crossbill campaign in 2020 (e.g.\r\nabpi.b2047.com, oklm.b2047.com, etc.). However, in June 2023 the C2 subdomain length expanded to a longer\r\npattern (e.g. amushuvfikjas.b2047.com, acgtjkiufde.b2047.com, etc.) and the Finch campaign ramped up. By mid-June 2023, at least 10,000 distinct devices were infected.\r\nCanary campaign (May 2023 to August 2023)\r\nhttps://blog.lumen.com/derailing-the-raptor-train/\r\nPage 5 of 8\n\nStarting in late May 2023, Raptor Train operators began a more tailored campaign in terms of types of devices in\r\nTier 1, heavily targeting ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs and ASUS RT-\r\n* and GT-* routers (among others). While this campaign did continue the use of the b2047.com C2 domain (and\r\nassociated subdomains), it was the first time Black Lotus Labs observed the use of multi-stage droppers and some\r\ndegree of in-memory “persistence” for the Nosedive implant. There was also a notable increase, compared to\r\nearlier campaigns, in the number of Tier 2 C2 servers (from approximately 1-3 active to over 10 active) and in\r\nTier 1 nodes (from approximately 10,000 to over 60,000) during the Canary campaign.\r\nOriole campaign (June 2023 to Present)\r\nBeginning in June 2023, another large exploitation campaign kicked off, sharing a few months’ overlap with the\r\nmore tailored Canary campaign. The Oriole campaign is signified primarily by the root domain w8510.com and\r\nassociated C2 subdomains (e.g. qacassdfawemp.w8510.com, dftiscasdwe.w8510.com, etc.).\r\nBetween April 2024 and August 2024, Black Lotus Labs saw an expansion of exploited device types including\r\nVNPT iGate routers, AXIS IP cameras and compromised NAS devices such as QNAP NAS, Zyxel NAS, Fujitsu\r\nNAS and Synology NAS. By August 2024, Raptor Train maintained an average of approximately 30,000\r\ncompromised devices in Tier 1, which is a testament to its size and scale given how quickly the devices power\r\ncycle and rotate (as mentioned earlier, cycling on average every 17 days).\r\nThe w8510.com C2 domain for this campaign became so prominent in compromised IoT devices that, in June\r\n2024, it was included in the Cisco Umbrella domain rankings, and by August 2024 it was included in Cloudflare\r\nRadar’s top 1 million domains, as it became one of the top million most resolved domains on the internet. This is a\r\nconcerning feat because domains reported in these popularity lists often circumvent security tools via domain\r\nwhitelisting, enabling the botnet operators to maintain access and further avoid detection.\r\nThese campaigns highlight the evolving tactics, techniques, and procedures (TTPs) of the Raptor Train botnet\r\noperators, as well as the resources that continuously feed into the development, maintenance and growth of the\r\nbotnet.\r\nAttribution and operational use\r\nBased on management and operational timeframes favored by Raptor Train, the targeting of sectors aligned with\r\nChinese interests, Chinese language use, and other TTP overlaps; Black Lotus Labs assesses the botnet operators\r\nof Raptor Train are likely the nation-state Chinese threat actors known as Flax Typhoon.\r\nAnalysis of Tier 3 management node sessions in which the nodes are connecting to Tier 2 C2 servers for\r\nmanagement activity shows almost exclusively Chinese working hours, Monday through Friday:\r\nBlack Lotus Labs uncovered targeting activities through this network that appeared to be concentrated on the\r\nmilitary, government, higher education, telecommunications, defense industrial base (DIB), and information\r\ntechnology (IT) sectors in the U.S. and Taiwan. For instance, in late December 2023, the botnet operators\r\nconducted extensive scanning efforts targeting the U.S. military, U.S. government, IT providers, and DIBs. There\r\nwas also widespread, global targeting, such as a government agency in Kazakhstan, along with more targeted\r\nhttps://blog.lumen.com/derailing-the-raptor-train/\r\nPage 6 of 8\n\nscanning and likely exploitation attempts against vulnerable software including Atlassian Confluence servers and\r\nIvanti Connect Secure appliances (likely via CVE-2024-21887) in the same sectors.\r\nConclusion\r\nBlack Lotus Labs’ investigation into the Raptor Train botnet has revealed a highly sophisticated and large-scale\r\noperation likely managed by the Chinese nation-state threat actors known as Flax Typhoon. The botnet, which has\r\nbeen active for over four years, has compromised hundreds of thousands of SOHO devices making it one of the\r\nlargest Chinese state-sponsored IoT botnets seen to date. The botnet operators manage this extensive network with\r\na custom-built, cross-platform application through a multi-tiered distributed payload and C2 architecture that\r\nallows them to manage hundreds of thousands of devices worldwide.\r\nThis botnet has targeted entities in the U.S. and Taiwan across various sectors, including military, government,\r\nhigher education, telecommunications, defense industrial base, and IT. The investigation has yielded insights into\r\nthe botnet’s network architecture, exploitation campaigns, malware components, and operational use, illuminating\r\nthe evolving tactics and techniques employed by the threat actors. A major concern of the Raptor Train botnet is\r\nthe DDoS capability that we have not yet observed actively deployed, but we suspect is being maintained for\r\nfuture use.\r\nOur findings underscore the importance of continued vigilance and collaboration among cybersecurity\r\nprofessionals to detect, analyze, and mitigate such sophisticated threats. Black Lotus Labs remains committed to\r\nmonitoring and disrupting the activities of the Raptor Train botnet and other similar threats to ensure the security\r\nand integrity of global digital infrastructure.\r\nTo protect their networks from compromises by advanced threat actors and others who may leverage sophisticated\r\nnetworks such as Raptor Train:\r\nNetwork defenders: Look for large data transfers out of the network, even if the destination IP address is\r\nphysically located in the same geographical area.\r\nAll organizations: Consider comprehensive secure access service edge (SASE) or similar solutions to\r\nbolster their security posture and enable robust detection on network-based communications.\r\nConsumers with SOHO routers: Users should follow best practices of regularly rebooting routers and\r\ninstalling security updates and patches. Users should use properly configured and updated EDR solutions\r\non hosts and regularly update software consistent with vendor patches where applicable.\r\nAll users of networking equipment: Remain mindful of devices at or near “end-of-life” and aging out of\r\nvendor support. So-called “EoL” devices are an attack surface that draws the attention of an ever-growing\r\nfield of attackers.\r\nThe details above are a summarized version of the full Raptor Train report. You can download the full Raptor\r\nTrain report to dive deeper into the network architecture, malware analysis, exploitation campaigns, targeting and\r\nattribution of this expansive botnet. We have added the indicators of compromise (IoCs) from this campaign into\r\nthe threat intelligence feed that fuels the Lumen Connected Security portfolio and are blocking all traffic to or\r\nfrom the known infrastructure of this botnet.\r\nhttps://blog.lumen.com/derailing-the-raptor-train/\r\nPage 7 of 8\n\nAnalysis of the Raptor Train botnet was performed by Michael Horka and Steve Rudd. Technical editing by Ryan\r\nEnglish and Danny Adamitis.\r\nFor additional IoCs associated with this campaign, please download the full Raptor Train report or visit our\r\nGitHub page.\r\nIf you would like to collaborate on similar research, please contact us on social media @BlackLotusLabs.\r\nThis information is provided “as is” without any warranty or condition of any kind, either express or implied. Use\r\nof this information is at the end user’s own risk.\r\nAuthor\r\nBlack Lotus Labs\r\nThe mission of Black Lotus Labs is to leverage our network visibility to help protect customers and keep the\r\ninternet clean.\r\nSource: https://blog.lumen.com/derailing-the-raptor-train/\r\nhttps://blog.lumen.com/derailing-the-raptor-train/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.lumen.com/derailing-the-raptor-train/" ], "report_names": [ "derailing-the-raptor-train" ], "threat_actors": [ { "id": "09031838-56db-4676-a2b2-4bc50d8b7b0b", "created_at": "2024-01-23T13:22:35.078612Z", "updated_at": "2026-04-10T02:00:03.519282Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "Storm-0919" ], "source_name": "MISPGALAXY:Flax Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a", "created_at": "2023-09-07T02:02:47.367254Z", "updated_at": "2026-04-10T02:00:04.698935Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "RedJuliett" ], "source_name": "ETDA:Flax Typhoon", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Mimikatz", "SinoChopper", "SoftEther VPN" ], "source_id": "ETDA", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea4726a4-3b7c-45db-a579-2abd4986941c", "created_at": "2025-11-01T02:04:53.002048Z", "updated_at": "2026-04-10T02:00:03.764362Z", "deleted_at": null, "main_name": "BRONZE FLAXEN", "aliases": [ "Ethereal Panda ", "Flax Typhoon " ], "source_name": "Secureworks:BRONZE FLAXEN", "tools": [ "Bad Potato", "Juicy Potato", "Metasploit", "Mimikatz", "SoftEther VPN" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434922, "ts_updated_at": 1775792067, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ee9ef33464b87e53e9f8406fc537f089694f8656.pdf", "text": "https://archive.orkl.eu/ee9ef33464b87e53e9f8406fc537f089694f8656.txt", "img": "https://archive.orkl.eu/ee9ef33464b87e53e9f8406fc537f089694f8656.jpg" } }