{ "id": "6bd7b552-3431-4036-b96a-eb10b6b7f7a2", "created_at": "2026-04-06T00:19:57.930664Z", "updated_at": "2026-04-10T03:32:04.759558Z", "deleted_at": null, "sha1_hash": "ef20c0cd1a9ecb6f1446454a091bb2e5f64a51e1", "title": "Arid Viper poisons Android apps with AridSpy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1929986, "plain_text": "Arid Viper poisons Android apps with AridSpy\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 21:40:18 UTC\r\nESET researchers have identified five campaigns targeting Android users with trojanized apps. Most probably\r\ncarried out by the Arid Viper APT group, these campaigns started in 2022 and three of them are still ongoing at the\r\ntime of the publication of this blogpost. They deploy multistage Android spyware, which we named AridSpy, that\r\ndownloads first- and second-stage payloads from its C\u0026C server to assist it avoiding detection. The malware is\r\ndistributed through dedicated websites impersonating various messaging apps, a job opportunity app, and a\r\nPalestinian Civil Registry app. Often these are existing applications that had been trojanized by the addition of\r\nAridSpy’s malicious code.\r\nKey points of the blogpost:\r\nESET Research discovered three-stage Android malware, which we named AridSpy, being\r\ndistributed via five dedicated websites.\r\nAridSpy’s code is in some cases bundled into applications that provide legitimate functionality.\r\nWhile the first stage of AridSpy has been documented previously, here we also provide a full\r\nanalysis of its previously unknown later stages.\r\nAridSpy is a remotely controlled trojan that focuses on user data espionage.\r\nWe detected six occurrences of AridSpy, in Palestine and Egypt.\r\nWe attribute AridSpy with medium confidence to the Arid Viper APT group.\r\nArid Viper, also known as APT-C-23, Desert Falcons, or Two-tailed Scorpion, is a cyberespionage group that has\r\nbeen active since at least 2013. Known for targeting countries in the Middle East, the group has drawn attention\r\nover the years for its vast arsenal of malware for Android, iOS, and Windows platforms. We reported on the group\r\nand its then-newest spyware in a previous blogpost.\r\nOverview\r\nESET Research identified five Arid Viper campaigns targeting Android users. These campaigns delivered malware\r\nvia dedicated websites from which victims could download and manually install an Android application. Three\r\napps provided on these websites are legitimate apps trojanized with malicious code that we named AridSpy, whose\r\npurpose is espionage. You can see the overview scheme in Figure 1.\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 1 of 33\n\nFigure 1. Infiltration overview\r\nAridSpy was first analyzed by Zimperium in 2021; at the time, the malware only consisted of a single stage, with\r\nall the malicious code implemented in the trojanized application.\r\nThe second occurrence of AridSpy that ESET Research identified was being used in 2022 (and later analyzed by\r\n360 Beacon Labs in December 2022), where the malware operators targeted the FIFA World Cup in Qatar.\r\nImpersonating one of the many Kora applications, the campaign deployed the Kora442 app bundled with AridSpy.\r\nAs in the case of the sample analyzed by Zimperium, the malware still only had one stage at this time.\r\nIn March 2023, 360 Beacon Labs analyzed another Android campaign operated by Arid Viper and found a\r\nconnection between the Kora442 campaign and the Arid Viper group, based on use of the myScript.js file\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 2 of 33\n\nmentioned in Figure 1. We found the same connection in the campaigns discussed in this blogpost (as explained in\r\nthe Attribution section). It has proven to be a useful indicator to identify additional Arid Viper distribution\r\nwebsites.\r\nIn August 2023 we logged a detection of AridSpy in our telemetry and investigated further. We identified targets\r\nin Palestine and Egypt. New in these campaigns, AridSpy was turned into a multistage trojan, with additional\r\npayloads being downloaded from the C\u0026C server by the initial, trojanized app.\r\nAt the time of this publication, three out of the five discovered campaigns are still active; the campaigns used\r\ndedicated websites to distribute malicious apps impersonating NortirChat, LapizaChat, and ReblyChat, and the\r\nالمشغل تطبيق) machine translation: Operator application; we will refer to this as the job opportunity app) and السجل\r\nالفلسطيين المدني) machine translation: Palestinian Civil Registry) apps. We discovered the following distribution\r\nwebsites via our telemetry, VirusTotal, and pivoting on the shared myScript.js script using the FOFA network\r\nsearch engine (which is an alternative to Shodan and Censys):\r\nlapizachat[.]com\r\nreblychat[.]com\r\nnortirchats[.]com\r\npariberychat[.]com (inactive)\r\nrenatchat[.]com (inactive)\r\nParallel to our investigation, the FOFA research team published a blogpost that discusses discovering seven\r\ndistribution websites with the myScript.js JavaScript file responsible for retrieving the download paths for Arid\r\nViper payloads. Four of these websites distributed various versions of AridSpy. The following two were\r\npreviously unknown to us:\r\nclemochat[.]com\r\nvoevanil[.]com\r\nIn this blogpost, we focus on AridSpy payloads that we could obtain from all the confirmed active distribution\r\nwebsites listed above.\r\nNote that these malicious apps have never been offered through Google Play and are downloaded from third-party\r\nsites. To install these apps, the potential victim is requested to enable the non-default Android option to install\r\napps from unknown sources.\r\nVictimology\r\nAltogether we detected six occurrences of AridSpy in our telemetry, from Palestine and Egypt. The majority of the\r\nspyware instances registered in Palestine were for the malicious Palestinian Civil Registry app, with one other\r\ndetection not being part of any campaign mentioned in this blogpost. We then found the same first-stage payload\r\nbut with a different package name in Egypt. There was also another first-stage payload detected in Egypt, one that\r\nuses the same C\u0026C servers as the samples in the LapizaChat and job opportunity campaigns.\r\nAttribution\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 3 of 33\n\nWe attribute AridSpy to Arid Viper with medium confidence, based on these indicators:\r\nAridSpy targeted organizations in Palestine and Egypt, which fits a subset of Arid Viper’s typical targeting.\r\nMultiple AridSpy distribution websites use a unique, malicious JavaScript file named myScript.js, which\r\nhas been previously linked to Arid Viper by 360 Beacon Labs and FOFA.\r\nmyScript.js was first discovered and linked to Arid Viper in 360 Beacon Labs’ March 30th, 2023 analysis of a\r\ndifferent Android campaign operated by Arid Viper. The (unnamed) malicious Android code used in that campaign\r\nwas previously attributed to the Arid Viper group. myScript.js was found on one of the distribution websites used\r\nin the campaign. The purpose of this JavaScript code was to download a malicious Android app hosted on the\r\ndistribution server.\r\nFigure 2 shows the part of the code that registers the handler for clicks on the website’s Download button, and\r\nFigure 3 displays JavaScript code that generates file paths to download the malicious app.\r\nFigure 2. Registration of a click event handler for the Download button\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 4 of 33\n\nFigure 3. JavaScript code responsible for downloading the malicious app\r\nAs pointed out by 360 Beacon Labs, this same JavaScript code was also used in the campaign that targeted the\r\nFIFA World Cup in Qatar with an earlier version of AridSpy, which we reported in 2022. In both campaigns, the\r\ndistribution websites used this specific myScript.js script to retrieve a malicious app from a server, although the\r\nfinal payload was different.\r\nFinally, we found a very similar piece of JavaScript on the distribution websites for the campaigns discussed in\r\nthis blogpost, distributing NortirChat, LapizaChat, and ReblyChat. During our investigation, this linkage was\r\nindependently confirmed by the research team of the FOFA search engine, who found seven of the same\r\ndistribution websites that contained the myScript.js responsible for downloading Android AridSpy, and attributed\r\nthis malware to Arid Viper.\r\nWe have not been able to link the JavaScript code used in these campaigns to any legitimate or open-source\r\nproject, which leads us to believe that this script is most likely specific to various Arid Viper campaigns\r\ndistributing Android malware.\r\nIt is possible that Arid Viper reused this distribution method, but switched to a new tool, AridSpy, for its new\r\ncampaigns, since the (unnamed) malware family the group used before was disclosed and analyzed by various\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 5 of 33\n\nresearchers and security companies.\r\nInterestingly, we also discovered a different version of myScript.js on the AridSpy distribution site, masquerading\r\nas a Palestinian Civil Registry app. In this case, the script had the same purpose but not the same JavaScript code:\r\ninstead of downloading AridSpy, this script just returned a hardcoded link to AridSpy.\r\nThis version of the script is based on a script available online, contrary to the earlier versions that appear to use a\r\ncustom-developed myScript.js file. When the earlier versions of myScript.js were disclosed and attributed to Arid\r\nViper, the threat actors most likely changed its code to avoid their new code being connected to the group.\r\nTechnical analysis\r\nInitial access\r\nThe distribution mechanism is very similar for all campaigns mentioned in this section. In order to gain initial\r\naccess to the device, the threat actors try to convince their potential victim to install a fake, but functional, app.\r\nOnce the target clicks the site’s Download button, myScript.js, hosted on the same server, is executed to generate\r\nthe correct download file path for the malicious AridSpy. This script makes an AJAX request to api.php located on\r\nthe same server and returns a specific file directory and name.\r\nTrojanized messaging applications\r\nStarting chronologically, we will first look at the campaign posing as LapizaChat, a malicious Android application\r\nthat was available for download from the dedicated lapizachat[.]com website. This website was registered on\r\nJanuary 16th, 2022 and is no longer active. Its interface can be seen in Figure 4.\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 6 of 33\n\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 7 of 33\n\nFigure 4. LapizaChat website\r\nIn an open directory on the server, there was not one, but actually three LapizaChat Android apps, stored in\r\ndifferent directories. One of the apps was a copy of the legitimate StealthChat: Private Messaging app and had no\r\nmalicious functionality. It contained the same legitimate messaging code as StealthChat, but with different\r\napplication icon, name, and package name. This app has been available on the distribution website since January\r\n18th, 2022.\r\nThe other two apps were trojanized versions of StealthChat: Private Messaging bundled with AridSpy’s malicious\r\ncode. Based on the last modification date, they were available on the server since July 5th, 2023 and September\r\n18th, 2023 respectively, based on the last modification date. The two malicious apps are very similar to each other;\r\nthe latter sample contains the same malicious code, with only minor, insignificant changes. It was this version that\r\nthe victim would download from the website after clicking the Download Now button. Filenames, last\r\nmodification dates, and hashes are listed in Table 1.\r\nTable 1. Samples available on lapizachat[.]com website\r\nFilename Last modified SHA-1 Description\r\nLapizaChat.apk 2022‑01‑18\r\nD99D9689A7C893AFCE84\r\n04D273D6BA31446C998D\r\nThe legitimate StealthChat: Private\r\nMessaging application, version\r\n1.8.42 (6008042).\r\nLapizaChat_old.apk 2023‑07‑05\r\n3485A0A51C6DAE251CDA\r\nD20B2F659B3815212162 StealthChat trojanized with\r\nAridSpy, distributed under the\r\nname LapizaChat.\r\nLapizaChat.apk 2023‑09‑18\r\nF49B00896C99EA030DCC\r\nA0808B87E414BBDE1549\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 8 of 33\n\nWe identified two other campaigns that started distributing AridSpy after LapizaChat, this time posing as\r\nmessaging apps named NortirChat and ReblyChat. They were distributed (after clicking on the Download button)\r\nvia the websites nortirchats[.]com, registered on September 21st, 2022, and reblychat[.]com, registered on April\r\n30th, 2023; see Figure 5.\r\nFigure 5. NortirChat (left) and ReblyChat (right) distribution websites\r\nSimilar to the previous case, we were able to retrieve additional samples from open directories, including both the\r\nclean and trojanized versions of the messaging applications. NortirChat is based on the legitimate Session\r\nmessaging app, while ReblyChat is based on the legitimate Voxer Walkie Talkie Messenger. In both cases, the\r\ntrojanized applications have the same code but the malware developers changed the application icon, name, and\r\npackage name. Table 2 and Table 3 list details of the applications retrieved from these servers.\r\nTable 2. Samples available on nortirchats[.]com website\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 9 of 33\n\nFilename Last modified SHA-1 Description\r\nNortirChat_old.apk 2022‑09‑28\r\n13A89D28535FC1D53794\r\n6D7D017DA02671227924\r\nThe legitimate Session messaging\r\napp, version 1.16.5 (3331).\r\nNortirChat.apk 2023‑03‑19\r\n1878F674F59E81E86986\r\n0EB9A2269046DF5CE855\r\nNortirChat_old.apk 2023‑06‑14\r\n2158D88BCE6368FAC3FC\r\nB7F3A508FE6B96B0CF8A\r\nSession app trojanized with\r\nAridSpy, distributed under the name\r\nNortirChat.\r\nNortirChat.apk 2023‑09‑11\r\nDB6B6326B772257FDDCB\r\n4BE7CF1A0CC0322387D8\r\nTable 3. Samples available on reblychat[.]com website\r\nFilename Last modified SHA-1 Description\r\nreblychat.apk 2023‑06‑08\r\nFFDD0E387EB3FEF7CBD2\r\nE3DCA5D8924275C3FB94\r\nThe legitimate Voxer Walkie Talkie\r\nMessenger application, version\r\n4.0.2.22408 (3669119).\r\nreblychat-old.apk\r\n2023‑06‑08\r\nA64D73C43B41F9A5B938\r\nAE8558759ADC474005C1 The Voxer Walkie Talkie Messenger app\r\ntrojanized with AridSpy, distributed\r\nunder the name ReblyChat.\r\nreblychat.apk 2023‑06‑11\r\n797073511A15EB85C1E9\r\nD8584B26BAA3A0B14C9E\r\nMasquerading as a Palestinian Civil Registry application\r\nMoving on from trojanizing chat applications for the time being, the operators then launched a campaign\r\ndistributing an app purporting to be from the Palestinian Civil Registry (الفلسطيين المدني السجل(. The malicious app\r\nclaims to offer general information about the residents of Palestine, such as name, place of residence, date of birth,\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 10 of 33\n\nID number, and other information. This campaign provides a malicious Android app available for download from\r\npalcivilreg[.]com, registered on May 30th, 2023; see Figure 6.\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 11 of 33\n\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 12 of 33\n\nFigure 6. palcivilreg[.]com website\r\nMachine translation of the website from Figure 6: “Palestinian Civil Registry. To find out information about any\r\nperson or search for any person’s identity number or date of birth, download the application to search the\r\nPalestinian civil registry.”\r\nThis website is advertised via a dedicated Facebook page – see Figure 7 – that was created on July 25th, 2023 and\r\nlinks directly to palcivilreg[.]com. We have reported this page to Facebook.\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 13 of 33\n\nFigure 7. Facebook page promoting the palcivilreg[.]com website for every Palestinian to identify\r\npersonal data\r\nMachine translation of the cover photo visible in Figure 7: “Palestinian Civil Registry. Search for any person’s\r\nname and obtain his full data. Get date of birth and age of any person. Ease of searching and entering the\r\napplication.”\r\nSelecting the تحميل) Download, in Arabic; see Figure 6) button executes myScript.js, initiating download from a\r\nhardcoded URL; see Figure 8. This instance of myScript.js code is slightly changed, compared to previously\r\nmentioned campaigns, but achieves the same results – retrieving a file from a malicious link. This version of the\r\nscript can be found in many tutorials available online; one of its first occurrences seems to be from February 2019.\r\nFigure 8. Content of myScript.js file\r\nThe Palestinian Civil Registry app is inspired by an app on Google Play that has been available for download\r\nsince March 2020 and provides the same functionality as claimed on the palcivilreg[.]com site. The app on Google\r\nPlay is linked to the website zezsoft.wuaze[.]com, which allows downloading iOS and Android apps. At the time\r\nof this research, the iOS application was not available, and the Android app link refers to the file-sharing storage\r\nsite MediaFire, not to Google Play. This app was no longer available from MediaFire, so we are not able to\r\nconfirm whether that version was legitimate.\r\nBased on our investigation, the malicious app available on palcivilreg[.]com is not a trojanized version of the app\r\non Google Play; however, it uses that app’s legitimate server to retrieve information. This means that Arid Viper\r\nwas inspired by that app’s functionality but created its own client layer that communicates with the legitimate\r\nserver. Most likely, Arid Viper reverse engineered the legitimate Android app from Google Play and used its server\r\nfor retrieving victims’ data.\r\nMasquerading as a job portal application\r\nThe last campaign we identified distributes AridSpy as an app named المشغل تطبيق) machine translation: Operator\r\napplication; we refer to this as the job opportunity app), available for download from almoshell[.]website,\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 14 of 33\n\nregistered on August 19th\r\n, 2023. This website claims to provide a job to anyone who applies through the Android\r\napp. In this case, the malicious app is not a trojanized version of any legitimate app. When supposedly applying\r\nfor a job, AridSpy makes requests to almoshell[.]website for registered users. This service runs on a malware\r\ndistribution website, so it is difficult to identify whether any relevant work offers are returned to the app’s user or\r\nnot. The website is shown in Figure 9.\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 15 of 33\n\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 16 of 33\n\nFigure 9. Distribution website that allegedly provides a job by sending an application with the\r\nlinked Android app\r\nThe job opportunity app has been available for download from this distribution site since August 20th, 2023; see\r\nFigure 10.\r\nFigure 10. Last modified sample update\r\nToolset\r\nAll analyzed Android apps from these campaigns contain similar malicious code, and download first- and second-stage payloads; our analysis focuses on the NortirChat and LapizaChat campaigns, where we were able to obtain\r\nthe final payloads.\r\nTrojanized application\r\nThe campaigns mostly deploy legitimate apps that have been trojanized. In the analyzed LapizaChat and\r\nNortirChat cases, malicious functionality responsible for downloading a payload is implemented in the apputils\r\nsubpackage inserted into the legitimate messaging apps, as can be seen in Figure 11.\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 17 of 33\n\nFigure 11. Code comparison of legitimate StealthChat (left) and its trojanized version advertised as\r\nLapizaChat (right)\r\nAfter the initial start of the app, the malware looks for installed security software based on a hardcoded list of\r\ndozens of security applications, and reports the results to the C\u0026C server. The complete list of these apps, along\r\nwith their package names, is in Table 4.\r\nTable 4. List of security apps in the order that they appear in the code\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 18 of 33\n\nApp name Package name\r\nBitdefender Mobile Security com.bitdefender.security\r\nAvast Antivirus \u0026 Security com.avast.android.mobilesecurity\r\nMcAfee Security: Antivirus VPN com.wsandroid.suite\r\nAvira Security Antivirus \u0026 VPN com.avira.android\r\nMalwarebytes Mobile Security org.malwarebytes.antimalware\r\nKaspersky: VPN \u0026 Antivirus com.kms.free\r\nESET Mobile Security Antivirus com.eset.ems2.gp\r\nSophos Intercept X for Mobile com.sophos.smsec\r\nDr.Web Security Space com.drweb.pro\r\nMobile Security \u0026 Antivirus com.trendmicro.tmmspersonal\r\nQuick Heal Total Security com.quickheal.platform.advance.blue.market\r\nAntivirus and Mobile Security com.quickheal.platform\r\nSecurity Antivirus Max Cleaner com.maxdevlab.cleaner.security\r\nAVG AntiVirus \u0026 Security com.antivirus\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 19 of 33\n\nApp name Package name\r\nAPUS Security:Antivirus Master com.guardian.security.pri\r\nNorton360 Mobile Virus Scanner com.symantec.mobilesecurity\r\n360 Security com.qihoo.security\r\nLookout Life - Mobile Security com.lookout\r\ndfndr security: antivirus com.psafe.msuite\r\nVirus Cleaner, Antivirus Clean\r\nphone.antivirus.virus.cleaner.junk.clean.speed.\r\nbooster.master\r\nAntivirus \u0026 Virus Cleaner Lock com.antivirus.mobilesecurity.viruscleaner.applock\r\nGO Security-AntiVirus, AppLock, Booster com.jb.security\r\nZimperium MTD com.zimperium.zips\r\nIntune Company Portal com.microsoft.windowsintune.companyportal\r\nActive Shield Enterprise com.better.active.shield.enterprise\r\nHarmony Mobile Protect com.lacoon.security.fox\r\nLookout for Work com.lookout.enterprise\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 20 of 33\n\nApp name Package name\r\nTrellix Mobile Security com.mcafee.mvision\r\nMicrosoft Defender: Antivirus com.microsoft.scmx\r\nSophos Mobile Control com.sophos.mobilecontrol.client.android\r\nJamf Trust com.wandera.android\r\nSEP Mobile com.skycure.skycure\r\nPradeo Security net.pradeo.service\r\nIf security software on the list is installed on the device, the malware will send this information to the C\u0026C server.\r\nIf the server returns the value 0, then the first-stage payload will not be downloaded. If the server returns the value\r\n1, then AridSpy proceeds and downloads the first-stage payload. In all cases that we observed, when a security\r\napp was installed on the device, the server returned the value 0 and payloads were not downloaded.\r\nAridSpy uses trivial string obfuscation, where each string is declared by converting a character array into a string.\r\nThis method was used in every sample and even in the first published analysis by Zimperium. That same\r\nobfuscation is also applied in the first- and second-stage payloads. Figure 12 shows an example.\r\nFigure 12. String obfuscation\r\nIf security software is not installed, AridSpy downloads the AES-encrypted first-stage payload from its C\u0026C\r\nserver. This payload is then decrypted using a hardcoded key, and the potential victim is asked to install it\r\nmanually. The first-stage payload impersonates an update of Google Play services, as displayed in Figure 13.\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 21 of 33\n\nFigure 13. Request to potential victim to install first-stage payload: left to right; LapizaChat,\r\nReblyChat, and Palestinian Civil Registry\r\nFirst-stage payload\r\nDuring installation of the malicious update, the first-stage payload displays app names such as Play Manager or\r\nService Google. This payload works separately, without the necessity of having the trojanized app installed on the\r\nsame device. This means that if the victim uninstalls the initial trojanized app, for example LapizaChat, AridSpy\r\nwill not be in any way affected.\r\nFunctionality-wise, the first-stage payload is similar to the trojanized application. It is responsible for\r\ndownloading the second-stage payload, which is then dynamically loaded and executed. The first-stage payload\r\ndownloads an AES-encrypted second-stage payload from a hardcoded URL and controls its further execution.\r\nSecond-stage payload\r\nThe second-stage payload is a Dalvik executable (dex); based on our observations, it always has the name\r\nprefLog.dex. The malicious functionality is implemented in this stage; however, it is operated by the first-stage\r\npayload, which loads it whenever necessary.\r\nAridSpy uses a Firebase C\u0026C domain for receiving commands, and a different, hardcoded C\u0026C domain, for data\r\nexfiltration. We reported the Firebase servers to Google, since it provides the service.\r\nWhen payloads are downloaded and executed, AridSpy sets listeners to monitor when the device screen is on and\r\noff. If the victim locks or unlocks the phone, AridSpy will take a picture using the front camera and send it to the\r\nexfiltration C\u0026C server. Pictures are taken only if it is more than 40 minutes since the last picture was taken and\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 22 of 33\n\nthe battery level is above 15%. By default, these pictures are taken using the front camera; however, this can be\r\nchanged by receiving a command from the Firebase C\u0026C server to use the rear camera. Images are archived in the\r\ndata.zip file on internal storage and uploaded to the exfiltration C\u0026C server.\r\nAridSpy has a feature intended to avoid network detection – specifically C\u0026C communication. It can deactivate\r\nitself, as AridSpy states in the code, by changing the exfiltration C\u0026C server used for data upload to a dummy\r\nhardcoded androidd[.]com domain (a currently registered typosquat). This action occurs based on a command\r\nreceived from the Firebase C\u0026C server. The dummy domain would probably look more legitimate, is not flagged\r\nas malicious, and might not trigger network detection systems.\r\nData exfiltration is initiated either by receiving a command from the Firebase C\u0026C server or when a specifically\r\ndefined event is triggered. These events are defined in AndroidManifext.xml and are caused when actions occur,\r\nsuch as: internet connectivity changes, the app is installed or uninstalled, a phone call is made or received, an\r\nSMS message is sent or received, a battery charger is connected or disconnected, or the device reboots.\r\nIf any of these events occurs, AridSpy starts to gather various victim data and uploads it to the exfiltration C\u0026C\r\nserver. It can collect:\r\ndevice location,\r\ncontact list,\r\ncall logs,\r\ntext messages,\r\nthumbnails of photos,\r\nthumbnails of recorded videos,\r\nrecorded phone calls,\r\nrecorded surrounding audio,\r\nmalware-taken photos,\r\nfile structure of external storage,\r\nsix WhatsApp databases (wa.db-wal, wa.db-shm, wa.db, msgstore.db-wal, msgstore.db-shm, msgstore.db)\r\nthat contain exchanged messages and user contacts, if the device is rooted,\r\nbookmarks and search history from the default browser and Chrome, Samsung Browser, and Firefox apps\r\nif installed,\r\ndata in the clipboard,\r\nfiles from external storage with file size smaller than 30 MB and extensions .pdf, .doc, .docx, .xls, .xlsx,\r\n.ppt, .pptx, and .opus,\r\nthumbnails from the Samsung Gallery app stored in the\r\n/storage/emulated/0/Android/data/com.sec.android.gallery3d/cache/ directory,\r\nall received notifications,\r\nFacebook Messenger and WhatsApp communication, and\r\nlogs of all text visible by misusing Accessibility services.\r\nBesides waiting for events to occur, the Arid Viper operator can extract specific information and upload it\r\nimmediately to the exfiltration C\u0026C server by sending commands to the compromised device. AridSpy can\r\nreceive commands from its Firebase C\u0026C server to obtain data or to control the malware. Operators can exfiltrate:\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 23 of 33\n\ndevice location,\r\ncontact list,\r\ntext messages,\r\ncall logs,\r\nthumbnails of photos,\r\nthumbnails of recorded videos,\r\na specific image from external storage based on an ID received from the Firebase C\u0026C server,\r\na specific video from external storage based on an ID received from the Firebase C\u0026C server,\r\nrecorded audio,\r\nimages taken on demand,\r\na specific file by file path received from the C\u0026C, and\r\ndevice info such as whether Facebook Messenger and WhatsApp apps are installed, device storage, battery\r\npercentage, internet connection, Wi-Fi connection data, screen on or off status, and the time zone.\r\nBy receiving control commands, it can:\r\ndeactivate communication by replacing the exfiltration C\u0026C domain with the dummy value\r\nandroidd[.]com,\r\nactivate communication by replacing the dummy androidd[.]com C\u0026C domain with another domain name,\r\nallow data upload when on a mobile data plan, and\r\nchange the exfiltration C\u0026C server for data upload.\r\nAridSpy can snoop on user activity by keylogging all text visible and editable in any application. On top of that, it\r\nspecifically focuses on Facebook Messenger and WhatsApp communications, which are stored and exfiltrated\r\nseparately. To accomplish this task, it misuses built-in accessibility services to record all text visible and uploads it\r\nto the exfiltration C\u0026C server. Examples of stored WhatsApp communications can be seen in Figure 14.\r\nFigure 14. Victim’s WhatsApp communication (right) logged by AridSpy (left)\r\nBefore collected data is uploaded to the exfiltration C\u0026C server, it is stored on internal storage, in\r\n/data/data/\u003cpackage_name\u003e/files/files/systems/, that belongs to AridSpy. The obtained contact list, SMS, call logs,\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 24 of 33\n\nlocation, captured keys, file structures, and other text information are stored in plain text as JSON files. All\r\nexfiltrated data is saved using specific filenames that might contain file IDs, filenames, time stamps, location,\r\nphone number, and AridSpy version. These values are divided by the delimiter #$\u0026, as can be seen in Figure 15.\r\nFigure 15. Filenames of multimedia data exfiltrated from device (highlighted is the embedded\r\nmalware version number)\r\nAll these files from any particular subdirectory are then zipped into data.zip and encrypted using custom\r\nencryption. Each of the encrypted files uses a randomly generated filename with the _Father.zip suffix. This string\r\nis hardcoded and appended to every file. The files are then uploaded to the exfiltration C\u0026C server and removed\r\nfrom the device.\r\nWhile going through the decompiled AridSpy code, we identified a version number, which is used as part of the\r\nfilename when exfiltrating victim data (#$\u0026V30#$\u0026), also visible in Figure 15 (highlighted is the version\r\nnumber). The AridSpy version has been changing across the campaigns and was included even with its first\r\nvariant disclosed in 2021. For some of the AridSpy samples, the version number is present in the trojanized app\r\nand also in the second-stage payload. This version might be different, since the downloaded payload can be\r\nupdated. In Table 5, you can see the package names and their versions. Some trojanized apps contained the version\r\nnumber only in their payloads, not in the body of the executable.\r\nTable 5. Malware versions found in samples\r\nApp name Package name SHA-1 Version\r\nSystem Update com.update.system.important\r\n52A508FEF60082E1E4EC\r\nE9109D2CEC1D407A0B92\r\n22\r\n[without app name] com.weather.services.manager\r\nA934FB482F61D85DDA5E\r\n52A7015F1699BF55B5A9\r\n26\r\n[without app name] com.studio.manager.app\r\n5F0213BA62B84221C962\r\n8F7D0A0CF87F27A45A28\r\n26\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 25 of 33\n\nApp name Package name SHA-1 Version\r\nKora442 com.app.projectappkora\r\n60B1DA6905857073C4C4\r\n6E7E964699D9C7A74EC7\r\n27\r\nالمشغل تطبيق com.app.workapp\r\n568E62ABC0948691D672\r\n36D9290D68DE34BD6C75\r\n29\r\nNortirChat cx.ring\r\nDB6B6326B772257FDDCB\r\n4BE7CF1A0CC0322387D8\r\n30\r\nprefLog.dex com.services.android.handler\r\n16C8725362D1EBC8443C\r\n97C5AB79A1B6428FF87D\r\n30\r\nprefLog.dex com.setting.manager.admin.handler\r\nE71F1484B1E3ACB4C8E8\r\n525BA1F5F8822AB7238B\r\n31\r\nThe Version column of the table suggests that the malware is regularly maintained.\r\nIt is worth mentioning that the trojanized malicious apps used for the Palestinian Civil Registry and job\r\nopportunity campaigns have implemented malicious functionality that is then also provided in the second-stage\r\npayload. It seems very unusual to download a payload if the same functionality is already included. The\r\nduplicated malicious functionality doesn’t seem to be an intended behavior, as it is not implemented in samples\r\nfor other campaigns; rather, it might be code left over from a time before the malware was updated to provide two\r\nadditional stages. Even so, these two trojanized apps can receive commands and spy on victims without needing\r\nadditional payloads. Naturally, the second-stage payload carries the latest updates and malicious code changes,\r\nwhich can be pushed to other ongoing campaigns.\r\nConclusion\r\nFive campaigns, most likely operated by the Arid Viper APT group, distribute Android spyware, which we've\r\nnamed AridSpy, via dedicated websites, with AridSpy’s malicious code implanted into various trojanized apps.\r\nThis malware family has two additional stages that are downloaded from a C\u0026C server. The purpose of the\r\nsecond-stage payload is espionage via victim data exfiltration. AridSpy also has a hardcoded internal version\r\nnumber that differs in these five campaigns and from other samples disclosed before. This information suggests\r\nthat AridSpy is maintained and might receive updates or functionality changes.\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 26 of 33\n\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\n797073511A15EB85C1E9\r\nD8584B26BAA3A0B14C9E\r\ncom.rebelvox.rebly.apk Android/Spy.AridSpy.A\r\nAridSpy\r\ntrojanized\r\napplication.\r\n5F0213BA62B84221C962\r\n8F7D0A0CF87F27A45A28\r\ncom.studio.manager.app.apk Android/Spy.AridSpy.A\r\nThe first stage of\r\nAridSpy.\r\nA934FB482F61D85DDA5E\r\n52A7015F1699BF55B5A9\r\ncom.weather.services.\r\nmanager.apk\r\nAndroid/Spy.AridSpy.A\r\nThe first stage of\r\nAridSpy.\r\nF49B00896C99EA030DCC\r\nA0808B87E414BBDE1549\r\ncom.chat.lapiza.apk Android/Spy.AridSpy.A\r\nAridSpy\r\ntrojanized\r\napplication.\r\n3485A0A51C6DAE251CDA\r\nD20B2F659B3815212162\r\ncom.chat.lapiza.apk Android/Spy.AridSpy.A\r\nAridSpy\r\ntrojanized\r\napplication.\r\n568E62ABC0948691D672\r\n36D9290D68DE34BD6C75\r\ncom.app.workapp.apk Android/Spy.AridSpy.A\r\nAridSpy\r\ntrojanized\r\napplication.\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 27 of 33\n\nSHA-1 Filename Detection Description\r\nDB6B6326B772257FDDCB\r\n4BE7CF1A0CC0322387D8\r\ncx.ring.apk Android/Spy.AridSpy.A\r\nAridSpy\r\ntrojanized\r\napplication.\r\n2158D88BCE6368FAC3FC\r\nB7F3A508FE6B96B0CF8A\r\ncx.ring.apk Android/Spy.AridSpy.A\r\nAridSpy\r\ntrojanized\r\napplication.\r\nB806B89B8C44F4674888\r\n8C1F8C3F05DF2387DF19\r\ncom.app.civilpal.apk Android/Spy.AridSpy.A\r\nAridSpy\r\ntrojanized\r\napplication.\r\nE71F1484B1E3ACB4C8E8\r\n525BA1F5F8822AB7238B\r\nprefLog.dex Android/Spy.AridSpy.A\r\nThe second stage\r\nof AridSpy.\r\n16C8725362D1EBC8443C\r\n97C5AB79A1B6428FF87D\r\nprefLog.dex Android/Spy.AridSpy.A\r\nThe second stage\r\nof AridSpy.\r\nA64D73C43B41F9A5B938\r\nAE8558759ADC474005C1\r\ncom.rebelvox.rebly.apk Android/Spy.AridSpy.A\r\nAridSpy\r\ntrojanized\r\napplication.\r\nC999ACE5325B7735255D\r\n9EE2DD782179AE21A673\r\nupdate.apk Android/Spy.AridSpy.A\r\nThe first stage of\r\nAridSpy.\r\n78F6669E75352F08A8B0\r\nCA155377EEE06E228F58\r\nupdate.apk Android/Spy.AridSpy.A\r\nThe first stage of\r\nAridSpy.\r\n8FF57DC85A7732E4A9D1\r\n44F20B68E5BC9E581300\r\nupdate.apk Android/Spy.AridSpy.A\r\nThe first stage of\r\nAridSpy.\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 28 of 33\n\nNetwork\r\nIP Domain\r\nHosting\r\nprovider\r\nFirst seen Details\r\n23.106.223[.]54 gameservicesplay[.]com\r\nLeaseWeb USA,\r\nInc. Seattle\r\n2023‑05‑25\r\nC\u0026C\r\nserver.\r\n23.106.223[.]135 crashstoreplayer[.]website\r\nLeaseWeb USA,\r\nInc. Seattle\r\n2023‑08‑19\r\nC\u0026C\r\nserver.\r\n23.254.130[.]97 reblychat[.]com Hostwinds LLC. 2023‑05‑01\r\nDistribution\r\nwebsite.\r\n35.190.39[.]113\r\nproj3-\r\n1e67a.firebaseio[.]com\r\nproj-95dae.firebaseio[.]com\r\nproj-2bedf.firebaseio[.]com\r\nproj-54ca0.firebaseio[.]com\r\nproject44-\r\n5ebbd.firebaseio[.]com\r\nGoogle LLC 2024‑02‑15\r\nC\u0026C\r\nserver.\r\n45.87.81[.]169 www.palcivilreg[.]com Hostinger NOC 2023‑06‑01\r\nDistribution\r\nwebsite.\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 29 of 33\n\nIP Domain\r\nHosting\r\nprovider\r\nFirst seen Details\r\n64.44.102[.]198 analyticsandroid[.]com\r\nNexeon\r\nTechnologies,\r\nInc.\r\n2023‑04‑01\r\nC\u0026C\r\nserver.\r\n66.29.141[.]173 almoshell[.]website Namecheap, Inc. 2023‑08‑20\r\nDistribution\r\nwebsite.\r\n68.65.121[.]90 orientflags[.]com Namecheap, Inc. 2022‑03‑16\r\nC\u0026C\r\nserver.\r\n68.65.121[.]120 elsilvercloud[.]com Namecheap, Inc. 2021‑11‑13\r\nC\u0026C\r\nserver.\r\n68.65.122[.]94\r\nwww.lapizachat[.]com\r\nlapizachat[.]com\r\nNamecheap, Inc. 2022‑01‑19\r\nDistribution\r\nwebsite.\r\n162.0.224[.]52 alwaysgoodidea[.]com Namecheap, Inc. 2022‑09‑27\r\nC\u0026C\r\nserver.\r\n198.187.31[.]161 nortirchats[.]com Namecheap, Inc. 2022‑09‑23\r\nDistribution\r\nwebsite.\r\n199.192.25[.]241 ultraversion[.]com Namecheap, Inc. 2021‑10‑12\r\nC\u0026C\r\nserver.\r\nMITRE ATT\u0026CK techniques\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 30 of 33\n\nThis table was built using version 15 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial\r\nAccess\r\nT1660 Phishing\r\nAridSpy has been distributed using dedicated websites\r\nimpersonating legitimate services.\r\nPersistence\r\nT1398\r\nBoot or Logon\r\nInitialization\r\nScripts\r\nAridSpy receives the BOOT_COMPLETED broadcast\r\nintent to activate at device startup.\r\nT1624.001\r\nEvent Triggered\r\nExecution:\r\nBroadcast\r\nReceivers\r\nAridSpy registers to receive the\r\nNEW_OUTGOING_CALL, PHONE_STATE,\r\nSMS_RECEIVED, SMS_DELIVER,\r\nBOOT_COMPLETED, USER_PRESENT,\r\nCONNECTIVITY_CHANGE,\r\nACTION_POWER_CONNECTED,\r\nACTION_POWER_DISCONNECTED,\r\nPACKAGE_ADDED, and PACKAGE_CHANGE\r\nbroadcast intents to activate itself.\r\nDefense\r\nevasion\r\nT1407\r\nDownload New\r\nCode at Runtime\r\nAridSpy can download first- and second-stage payloads.\r\nT1406\r\nObfuscated Files\r\nor Information\r\nAridSpy decrypts a downloaded payload with obfuscated\r\ncode and strings.\r\nDiscovery\r\nT1418\r\nSoftware\r\nDiscovery\r\nAridSpy can identify whether Facebook Messenger and\r\nWhatsApp apps are installed on a device.\r\nT1418.001\r\nSoftware\r\nDiscovery:\r\nSecurity\r\nSoftware\r\nDiscovery\r\nAridSpy can identify, from a predefined list, what\r\nsecurity software is installed.\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 31 of 33\n\nTactic ID Name Description\r\nT1420\r\nFile and\r\nDirectory\r\nDiscovery\r\nAridSpy can list files and directories on external storage.\r\nT1426\r\nSystem\r\nInformation\r\nDiscovery\r\nAridSpy can extract information about the device\r\nincluding device model, device ID, and common system\r\ninformation.\r\nT1422\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nAridSpy extracts the IMEI number.\r\nCollection T1512 Video Capture AridSpy can take photos.\r\nT1532\r\nArchive\r\nCollected Data\r\nAridSpy encrypts data before extraction.\r\nT1533\r\nData from Local\r\nSystem\r\nAridSpy can exfiltrate files from a device.\r\nT1417.001\r\nInput Capture:\r\nKeylogging\r\nAridSpy can log all text visible and specifically log\r\nFacebook Messenger and WhatsApp chat\r\ncommunication.\r\nT1517\r\nAccess\r\nNotifications\r\nAridSpy can collect messages from various apps.\r\nT1429 Audio Capture AridSpy can record audio from the microphone.\r\nT1414 Clipboard Data AridSpy can obtain clipboard contents.\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 32 of 33\n\nTactic ID Name Description\r\nT1430\r\nLocation\r\nTracking\r\nAridSpy tracks device location.\r\nT1636.002\r\nProtected User\r\nData: Call Logs\r\nAridSpy can extract call logs.\r\nT1636.003\r\nProtected User\r\nData: Contact\r\nList\r\nAridSpy can extract the device’s contact list.\r\nT1636.004\r\nProtected User\r\nData: SMS\r\nMessages\r\nAridSpy can extract SMS messages.\r\nCommand\r\nand Control\r\nT1481.003\r\nWeb Service:\r\nOne-Way\r\nCommunication\r\nAridSpy uses Google’s Firebase server as a C\u0026C.\r\nExfiltration T1646\r\nExfiltration Over\r\nC2 Channel\r\nAridSpy exfiltrates data using HTTPS.\r\nSource: https://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nhttps://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/\r\nPage 33 of 33\n\nStarting chronologically, that was available we will for download first look at the from the dedicated campaign posing lapizachat[.]com as LapizaChat, website. This a malicious website was Android application registered on\nJanuary 16th , 2022 and is no longer active. Its interface can be seen in Figure 4.\n Page 6 of 33", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/" ], "report_names": [ "arid-viper-poisons-android-apps-with-aridspy" ], "threat_actors": [ { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434797, "ts_updated_at": 1775791924, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ef20c0cd1a9ecb6f1446454a091bb2e5f64a51e1.pdf", "text": "https://archive.orkl.eu/ef20c0cd1a9ecb6f1446454a091bb2e5f64a51e1.txt", "img": "https://archive.orkl.eu/ef20c0cd1a9ecb6f1446454a091bb2e5f64a51e1.jpg" } }