{ "id": "3e327286-6dc6-4a89-be41-978cb1d4a58e", "created_at": "2026-04-06T00:17:14.543194Z", "updated_at": "2026-04-10T13:11:48.086351Z", "deleted_at": null, "sha1_hash": "f05d1524424f5ec5484b5d0858fee86919307ec0", "title": "Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1449776, "plain_text": "Moonstone Sleet emerges as new North Korean threat actor with\r\nnew bag of tricks\r\nBy Microsoft Threat Intelligence\r\nPublished: 2024-05-28 · Archived: 2026-04-05 21:34:54 UTC\r\nMicrosoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet (formerly Storm-1789),\r\nthat uses both a combination of many tried-and-true techniques used by other North Korean threat actors and\r\nunique attack methodologies to target companies for its financial and cyberespionage objectives. Moonstone Sleet\r\nis observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized\r\nversions of legitimate tools, create a fully functional malicious game, and deliver a new custom ransomware.\r\nMoonstone Sleet uses tactics, techniques, and procedures (TTPs) also used by other North Korean threat actors\r\nover the last several years, highlighting the overlap among these groups. While Moonstone Sleet initially had\r\noverlaps with Diamond Sleet, the threat actor has since shifted to its own infrastructure and attacks, establishing\r\nitself as a distinct, well-resourced North Korean threat actor.\r\nThis blog describes several notable TTPs used by this threat actor as well as recommendations to defend against\r\nrelated attacks. As with any observed nation-state actor activity, Microsoft directly notifies customers that have\r\nbeen targeted or compromised, providing them with the necessary information to secure their environments.\r\nWho is Moonstone Sleet?\r\nMoonstone Sleet is a threat actor behind a cluster of malicious activity that Microsoft assesses is North Korean\r\nstate-aligned and uses both a combination of many tried-and-true techniques used by other North Korean threat\r\nactors and unique attack methodologies. When Microsoft first detected Moonstone Sleet activity, the actor\r\ndemonstrated strong overlaps with Diamond Sleet, extensively reusing code from known Diamond Sleet malware\r\nlike Comebacker and using well-established Diamond Sleet techniques to gain access to organizations, such as\r\nusing social media to deliver trojanized software. However, Moonstone Sleet quickly shifted to its own bespoke\r\ninfrastructure and attacks. Subsequently, Microsoft has observed Moonstone Sleet and Diamond Sleet conducting\r\nconcurrent operations, with Diamond Sleet still utilizing much of its known, established tradecraft.\r\nMoonstone Sleet has an expansive set of operations supporting its financial and cyberespionage objectives. These\r\nrange from deploying custom ransomware to creating a malicious game, setting up fake companies, and using IT\r\nworkers.\r\nMoonstone Sleet tradecraft\r\nMicrosoft has observed Moonstone Sleet using the TTPs discussed in the following sections in various campaigns.\r\nTrojanized PuTTY\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nPage 1 of 16\n\nIn early August 2023, Microsoft observed Moonstone Sleet delivering a trojanized version of PuTTY, an open-source terminal emulator, via apps like LinkedIn and Telegram as well as developer freelancing platforms. Often,\r\nthe actor sent targets a .zip archive containing two files: a trojanized version of putty.exe and url.txt, which\r\ncontained an IP address and a password. If the provided IP and password were entered by the user into the PuTTY\r\napplication, the application would decrypt an embedded payload, then load and execute it. Notably, before\r\nMoonstone Sleet used this initial access vector, Microsoft observed Diamond Sleet using a similar method –\r\ntrojanized PuTTY and SumatraPDF — with comparable techniques for anti-analysis, as we reported in 2022:\r\nFigure 1. Code from PuTTY executable\r\nThe trojanized PuTTY executable drops a custom installer which kicks off execution of a series of stages of\r\nmalware, as described below:\r\n1. Stage 1 – Trojanized PuTTY: Decrypts, decompresses, and then executes the embedded stage 2 payload.\r\n2. Stage 2 – SplitLoader installer/dropper: Decrypts, decompresses, and writes the Stage 3 payload, the\r\nSplitLoader DLL file, to disk. The installer also drops two encrypted files to disk, then executes\r\nSplitLoader via a scheduled task or registry run key.\r\n3. Stage 3 – SplitLoader:Decrypts and decompresses the two encrypted files dropped by the stage 2 payload,\r\nthen combines them to create the next-stage, another portable executable (PE) file.\r\n4. Stage 4 – Trojan loader: Expects a compressed and encrypted PE file from the C2. Once received, the\r\ntrojan loader decompresses, decrypts, and executes this file.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nPage 2 of 16\n\nFigure 2. Moonstone Sleet attack chain using trojanized PuTTY\r\nMicrosoft has also observed Moonstone Sleet using other custom malware loaders delivered by PuTTY that\r\nbehaved similarly and had argument overlap with previously observed Diamond Sleet malware artifacts, such as\r\nthe following:\r\nMalicious npm packages\r\nMicrosoft has observed Moonstone Sleet targeting potential victims with projects that used malicious npm\r\npackages. Often, the threat actor delivered these projects through freelancing websites or other platforms like\r\nLinkedIn. In one example, the threat actor used a fake company to send .zip files invoking a malicious npm\r\npackage under the guise of a technical skills assessment. When loaded, the malicious package used curl to connect\r\nto an actor-controlled IP and drop additional malicious payloads like SplitLoader. In another incident, Moonstone\r\nSleet delivered a malicious npm loader which led to credential theft from LSASS. Microsoft collaborated with\r\nGitHub to identify and remove repositories associated with this activity.\r\nMalicious tank game\r\nSince February 2024, Microsoft has observed Moonstone Sleet infecting devices using a malicious tank game it\r\ndeveloped called DeTankWar (also called DeFiTankWar, DeTankZone, or TankWarsZone). DeTankWar is a fully\r\nfunctional downloadable game that requires player registration, including username/password and invite code. In\r\nthis campaign, Moonstone Sleet typically approaches its targets through messaging platforms or by email,\r\npresenting itself as a game developer seeking investment or developer support and either masquerading as a\r\nlegitimate blockchain company or using fake companies. To bolster the game’s superficial legitimacy, Moonstone\r\nSleet has also created a robust public campaign that includes the websites detankwar[.]com and\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nPage 3 of 16\n\ndefitankzone[.]com, and many X (Twitter) accounts for the personas it uses to approach targets and for the game\r\nitself.\r\nFigure 3. Example of a Moonstone Sleet X (Twitter) account for its DeTankWar game\r\nMoonstone Sleet used a fake company called C.C. Waterfall to contact targets. The email presented the game as a\r\nblockchain-related project and offered the target the opportunity to collaborate, with a link to download the game\r\nincluded in the body of the message. More details about C.C. Waterfall and another fake company that Moonstone\r\nSleet set up to trick targets are included below:\r\nFigure 4. Moonstone Sleet using CC Waterfall to email a link to their game\r\nWhen targeted users launch the game, delfi-tank-unity.exe, additional included malicious DLLs are also loaded.\r\nThe payload is a custom malware loader that Microsoft tracks as YouieLoad. Similarly to SplitLoader, YouieLoad\r\nloads malicious payloads in memory and creates malicious services that perform functions such as network and\r\nuser discovery and browser data collection. For compromised devices of particular interest to the group, the threat\r\nactor launches hands-on-keyboard commands with further discovery and conducts credential theft.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nPage 4 of 16\n\nFigure 5. Page from the DeTankWar website\r\nRansomware\r\nIn April 2024, Microsoft observed Moonstone Sleet delivering a new custom ransomware variant we have named\r\nFakePenny against a company it previously compromised in February. FakePenny includes a loader and an\r\nencryptor. Although North Korean threat actor groups have previously developed custom ransomware, this is the\r\nfirst time we have observed this threat actor deploying ransomware.\r\nMicrosoft assesses that Moonstone Sleet’s objective in deploying the ransomware is financial gain, suggesting the\r\nactor conducts cyber operations for both intelligence collection and revenue generation. Of note, the ransomware\r\nnote dropped by FakePenny closely overlaps with the note used by Seashell Blizzard in its malware NotPetya. The\r\nransom demand was $6.6M USD in BTC. This is in stark contrast to the lower ransom demands of previous North\r\nKorea ransomware attacks, like WannaCry 2.0 and H0lyGh0st.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nPage 5 of 16\n\nFigure 6. FakePenny ransomware note\r\nFigure 7. NotPetya ransomware note\r\nFake companies\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nPage 6 of 16\n\nSince January 2024, Microsoft has observed Moonstone Sleet creating several fake companies impersonating\r\nsoftware development and IT services, typically relating to blockchain and AI. The actor has used these companies\r\nto reach out to potential targets, using a combination of created websites and social media accounts to add\r\nlegitimacy to their campaigns.\r\nStarGlow Ventures\r\nFrom January to April 2024, Moonstone Sleet’s fake company StarGlow Ventures posed as a legitimate software\r\ndevelopment company. The group used a custom domain, fake employee personas, and social media accounts, in\r\nan email campaign targeting thousands of organizations in the education and software development sectors. In the\r\nemails Moonstone Sleet sent as part of this campaign, the actor complimented the work of the targeted\r\norganization and offered collaboration and support for upcoming projects, citing expertise in the development of\r\nweb apps, mobile apps, blockchain, and AI.\r\nFigure 8. Example of an email from Moonstone Sleet’s StarGlow Ventures campaign\r\nThese emails also contained a 1×1 tracking pixel, which likely enabled Moonstone Sleet to track which targets\r\nengaged with the emails, and a link to a dummy unsubscribe page hosted on the StarGlow Ventures domain. While\r\nthe emails did not contain any malicious links, Microsoft assesses Moonstone Sleet likely used this campaign to\r\nestablish a relationship with target organizations. Although the purpose of these relationships is unclear, they may\r\nafford the actor access to organizations of interest or be used as revenue generation opportunities. Microsoft\r\nnotified customers who were impacted by this Moonstone Sleet campaign.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nPage 7 of 16\n\nFigure 9. Unsubscribe page on the StarGlow Ventures website\r\nFigure 10. Informational pages for the StarGlow Ventures website\r\nC.C. Waterfall\r\nIn a similar campaign, Moonstone Sleet sent emails using its fake company C.C. Waterfall, a purported IT\r\nconsulting organization.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nPage 8 of 16\n\nFigure 11. The landing page for C.C. Waterfall\r\nIn this campaign, Moonstone Sleet emailed higher education organizations, claiming the company was either\r\nhiring new developers or looking for business collaboration opportunities. This campaign likely had similar goals\r\nto the StarGlow Ventures campaign: to build relationships with organizations which could be leveraged for\r\nrevenue generation or malicious access.  \r\nFigure 12. Example of an email from C.C. Waterfall\r\nAs previously mentioned, Moonstone Sleet also used C.C. Waterfall to contact targets and invite them to\r\ndownload the actor’s tank game, highlighting that this is a coordinated and concerted effort for which Moonstone\r\nSleet can leverage multiple facets of its operations in overlapping campaigns.\r\nWork-for-hire\r\nIn addition to creating fake companies, Microsoft has observed Moonstone Sleet pursuing employment in\r\nsoftware development positions at multiple legitimate companies. This activity could be consistent with previous\r\nreporting from the United States Department of Justice that North Korea was using highly skilled remote IT\r\nworkers to generate revenue. On the other hand, this Moonstone Sleet activity may also be another approach to\r\ngaining access to organizations.\r\nMoonstone Sleet targets\r\nMoonstone Sleet’s primary goals appear to be espionage and revenue generation. Targeted sectors to date include\r\nboth individuals and organizations in the software and information technology, education, and defense industrial\r\nbase sectors.\r\nSoftware companies and developers\r\nSince early January 2024, Moonstone Sleet has used the above fake software development companies to solicit\r\nwork or cooperation. This actor has also targeted individuals looking for work in software development, sending\r\ncandidates a “skills test” that instead delivers malware via a malicious NPM package.\r\nAerospace\r\nIn early December 2023, we observed Moonstone Sleet compromising a defense technology company to steal\r\ncredentials and intellectual property. In April 2024, the actor ransomed the organization using FakePenny. The\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nPage 9 of 16\n\nsame month, we observed Moonstone Sleet compromise a company that makes drone technology. In May 2024,\r\nthe threat actor compromised a company that makes aircraft parts.\r\nFitting into the North Korean threat actor landscape\r\nMoonstone Sleet’s diverse set of tactics is notable not only because of their effectiveness, but because of how they\r\nhave evolved from those of several other North Korean threat actors over many years of activity to meet North\r\nKorean cyber objectives. For example, North Korea has for many years maintained a cadre of remote IT workers\r\nto generate revenue in support of the country’s objectives. Moonstone Sleet’s pivot to conduct IT work within its\r\ncampaigns indicates it may not only be helping with this strategic initiative, but possibly also expanding the use of\r\nremote IT workers beyond just financial gain. Additionally, Moonstone Sleet’s addition of ransomware to its\r\nplaybook, like another North Korean threat actor, Onyx Sleet, may suggest it is expanding its set of capabilities to\r\nenable disruptive operations. Microsoft reported on Onyx Sleet’s and Storm-0530’s h0lyGhost ransomware in\r\n2022.\r\nMoonstone Sleet’s ability to conduct concurrent operations across multiple campaigns, the robustness of the\r\nmalicious game, and the use of a custom new ransomware variant are strong indications that this threat actor may\r\nbe well-resourced. Moreover, given that Moonstone Sleet’s initial attacks mirrored Diamond Sleet methodologies\r\nand heavily reused Diamond Sleet’s code in their payloads, Microsoft assesses this actor is equipped with\r\ncapabilities from prior cyber operations conducted by other North Korean actors.\r\nMicrosoft has identified several techniques used by Moonstone Sleet that have previously been used by other\r\nNorth Korean threat actors. For example, since late 2023, an actor that Microsoft tracks as Storm-1877 used\r\nmalicious npm packages in a campaign targeting software developers with JavaScript-based malware. This\r\ncampaign was reported publicly by PaloAlto as Contagious Interview. Additionally, in 2023, GitHub reported that\r\nJade Sleet used malicious npm packages in a campaign consisting of fake developer and recruiter personas that\r\noperated on LinkedIn, Slack, and Telegram. This shared use of a relatively uncommon tactic across multiple\r\ndistinct North Korean groups may suggest sharing of expertise and TTPs among North Korean threat actors.\r\nIn recent months, Microsoft and other security researchers have reported on North Korean threat actors’ use of\r\nsoftware supply chain attacks to conduct widespread malicious operations. In November 2023, Microsoft reported\r\non Diamond Sleet’s supply chain compromise of CyberLink, a multimedia application. While Microsoft has not\r\nyet identified any Moonstone Sleet supply chain attacks, the actor has extensively targeted software development\r\nfirms in its campaigns. Large-scale access to software companies would pose a particularly high risk for future\r\nsupply chain attacks against those organizations.\r\nMoonstone Sleet’s appearance is an interesting development considering that North Korea has carried out a series\r\nof changes in its foreign relations and security apparatus. In November 2023, North Korea closed embassies in\r\nseveral countries, and in March 2024, may have dissolved the United Front Department (UFD), an agency\r\nbelieved to be responsible for reunification and propaganda.\r\nDespite being new, Moonstone Sleet has demonstrated that it will continue to mature, develop, and evolve, and\r\nhas positioned itself to be a preeminent threat actor conducting sophisticated attacks on behalf of the North\r\nKorean regime.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nPage 10 of 16\n\nRecommendations\r\nMicrosoft recommends the following mitigations defend against attacks by Moonstone Sleet:\r\nDetect human-operated ransomware attacks with Microsoft Defender XDR. \r\nEnable controlled folder access. \r\nEnsure that tamper protection is enabled in Microsoft Defender for Endpoint. \r\nEnable network protection in Microsoft Defender for Endpoint. \r\nFollow the credential hardening recommendations in our on-premises credential theft overview to defend\r\nagainst common credential theft techniques like LSASS access.\r\nRun endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can\r\nblock malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when\r\nMicrosoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to\r\nremediate malicious artifacts that are detected post-breach.    \r\nConfigure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint\r\ntake immediate action on alerts to resolve breaches, significantly reducing alert volume. \r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus\r\nproduct, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections\r\nblock a majority of new and unknown variants.\r\nMicrosoft Defender XDR customers can turn on the following attack surface reduction rule to prevent common\r\nattack techniques used by Moonstone Sleet.\r\nBlock executable content from email client and webmail \r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion \r\nUse advanced protection against ransomware \r\nBlock credential stealing from the Windows local security authority subsystem (lsass.exe)\r\nDetection details\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects threat components as the following malware:\r\nBehavior:Win64/PennyCrypt\r\nHackTool:Win32/Mimikatz\r\nHackTool:Win64/Mimikatz\r\nTrojanDropper:Win32/SplitLoader\r\nTrojanDropper:Win64/YouieLoad\r\nMicrosoft Defender for Endpoint\r\nAlerts with the following titles in the security center can indicate threat activity on your network: \r\nMoonstone Sleet actor activity detected\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nPage 11 of 16\n\nSuspicious activity linked to a North Korean state-sponsored threat actor has been detected\r\nDiamond Sleet Actor activity detected\r\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be\r\ntriggered by unrelated threat activity: \r\nMalicious credential theft tool execution detected  \r\nMimikatz credential theft tool \r\nRansomware-linked threat actor detected\r\nSuspicious access to LSASS service\r\nHunting queries\r\nMicrosoft Defender XDR\r\nMicrosoft Defender XDR customers can run the following query to find related activity in their networks:\r\nDetect Procdump dumping LSASS credentials:\r\nDeviceProcessEvents\r\n| where (FileName has_any (\"procdump.exe\",\r\n\"procdump64.exe\") and ProcessCommandLine has \"lsass\") or\r\n(ProcessCommandLine\r\nhas \"lsass.exe\" and (ProcessCommandLine has \"-accepteula\"\r\nor ProcessCommandLine contains \"-ma\"))\r\nDetect connectivity with C2 infrastructure:\r\nlet c2servers = dynamic(['mingeloem.com','matrixane.com']);\r\nDeviceNetworkEvents\r\n| where RemoteUrl has_any (c2servers)\r\n| project DeviceId, LocalIP, DeviceName, RemoteUrl, InitiatingProcessFileName,\r\nInitiatingProcessCommandLine, Timestamp\r\nDetect connectivity to DeTank websites:\r\nlet c2servers = dynamic(['detankwar.com','defitankzone.com']);\r\nDeviceNetworkEvents\r\n| where RemoteUrl has_any (c2servers)\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nPage 12 of 16\n\n| project DeviceId, LocalIP, DeviceName, RemoteUrl, InitiatingProcessFileName,\r\nInitiatingProcessCommandLine, Timestamp\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.\r\nMicrosoft Sentinel customers can also use the queries below to detect activity detailed in this blog.\r\nThis query detects the installation of a Windows service that contains artifacts from credential dumping tools such\r\nas Mimikatz:\r\nCredential Dumping Tools – Service Installation\r\nThis query detects the use of Procdump to dump credentials from LSASS memory:\r\nDump credential using procdump\r\nMicrosoft Sentinel customers can also use the following query, which looks for Microsoft Defender AV detections\r\nrelated to the Moonstone Sleet. In Microsoft Sentinel, the SecurityAlerts table includes only the DeviceName of\r\nthe affected device. This query joins the DeviceInfo table to connect other information such as device group, IP,\r\nsigned-in users, etc., allowing analysts to have more context related to the alert, if available:\r\nlet MoonStoneSleet_threats = dynamic([\"Behavior:Win64/PennyCrypt\", \"HackTool:Win32/Mimikatz\",\r\n\"HackTool:Win64/Mimikatz \", \"TrojanDropper:Win32/SplitLoader\", \"TrojanDropper:Win64/YouieLoad\" ]);\r\nSecurityAlert\r\n| where ProviderName == \"MDATP\"\r\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\r\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\r\n| where ThreatName in~ (MoonStoneSleet_threats) or ThreatFamilyName in~ (MoonStoneSleet_threats)\r\n| extend CompromisedEntity = tolower(CompromisedEntity)\r\n| join kind=inner (\r\nDeviceInfo\r\n| extend DeviceName = tolower(DeviceName)\r\n) on $left.CompromisedEntity == $right.DeviceName\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nPage 13 of 16\n\n| summarize arg_max(TimeGenerated, *) by DisplayName, ThreatName, ThreatFamilyName, PublicIP,\r\nAlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity,\r\nProductName, Entities\r\n| extend HostName = tostring(split(CompromisedEntity, \".\")[0]), DomainIndex =\r\ntoint(indexof(CompromisedEntity, '.'))\r\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1),\r\nCompromisedEntity)\r\n| project-away DomainIndex\r\n| project TimeGenerated, DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity,\r\nDescription, LoggedOnUsers, DeviceId, TenantId, CompromisedEntity, ProductName, Entities, HostName,\r\nHostNameDomain\r\nIndicators of compromise\r\nMalicious files\r\nFile SHA-256 hash\r\nputty.exe (drops\r\nSplitLoader)\r\nf59035192098e44b86c4648a0de4078edbe80352260276f4755d15d354f5fc58\r\nputty.exe (drops\r\nSplitLoader)\r\ncb97ec024c04150ad419d1af2d1eb66b5c48ab5f345409d9d791db574981a3fb\r\n[random].dat\r\n(SplitLoader)\r\n39d7407e76080ec5d838c8ebca5182f3ac4a5f416ff7bda9cbc4efffd78b4ff5\r\nPackage.db,\r\nthumbs.db\r\n(YouieLoad via\r\nnpm)\r\n70c5b64589277ace59db86d19d846a9236214b48aacabbaf880f2b6355ab5260\r\nadb.bin, u.bin,\r\nId.bin\r\n(YouieLoad)\r\ncafaa7bc3277711509dc0800ed53b82f645e86c195e85fbf34430bbc75c39c24\r\ndata.tmp\r\n(YouieLoad)\r\n9863173e0a45318f776e36b1a8529380362af8f3e73a2b4875e30d31ad7bd3c1\r\ndelfi-tank-unity.exe f66122a3e1eaa7dcb7c13838037573dace4e5a1c474a23006417274c0c8608be\r\nDeTankWar.exe\r\n56554117d96d12bd3504ebef2a8f28e790dd1fe583c33ad58ccbf614313ead8c\r\necce739b556f26de07adbfc660a958ba2dca432f70a8c4dd01466141a6551146\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nPage 14 of 16\n\nNVUnityPlugin.dll,\r\nUnityplayer.dll\r\n(YouieLoad via\r\ntank game)\r\n09d152aa2b6261e3b0a1d1c19fa8032f215932186829cfcca954cc5e84a6cc38\r\nMoonstone Sleet domains\r\nbestonlinefilmstudio[.]org\r\nblockchain-newtech[.]com\r\nccwaterfall[.]com\r\nchaingrown[.]com\r\ndefitankzone[.]com\r\ndetankwar[.]com\r\nfreenet-zhilly[.]org\r\nmatrixane[.]com\r\npointdnt[.]com\r\nstarglowventures[.]com\r\nmingeloem[.]com\r\nReferences\r\nHacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North\r\nKorean Threat Actors (Palo Alto Unit 42)\r\nSecurity alert: social engineering campaign targets technology industry employees (Github)\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nPage 15 of 16\n\nSource: https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" ], "report_names": [ "moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "32e2c6f9-a1f5-42bc-ac1d-5d9dc301cf0e", "created_at": "2025-08-07T02:03:25.078429Z", "updated_at": "2026-04-10T02:00:03.811418Z", "deleted_at": null, "main_name": "NICKEL ALLEY", "aliases": [ "CL-STA-0240 ", "Purplebravo Recorded Future", "Storm-1877 ", "Tenacious Pungsan " ], "source_name": "Secureworks:NICKEL ALLEY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "40ec2da8-7156-4bff-b878-41984eb70df4", "created_at": "2024-02-02T02:00:04.080917Z", "updated_at": "2026-04-10T02:00:03.555365Z", "deleted_at": null, "main_name": "Storm-0530", "aliases": [ "DEV-0530", "H0lyGh0st" ], "source_name": "MISPGALAXY:Storm-0530", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "45e6e2b3-43fe-44cd-8025-aea18a7f488f", "created_at": "2024-06-20T02:02:09.897489Z", "updated_at": "2026-04-10T02:00:04.769917Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Storm-1789", "Stressed Pungsan" ], "source_name": "ETDA:Moonstone Sleet", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0106b19a-ac99-4bc9-90b9-4647bfc5f3ce", "created_at": "2023-11-08T02:00:07.144995Z", "updated_at": "2026-04-10T02:00:03.425891Z", "deleted_at": null, "main_name": "TraderTraitor", "aliases": [ "Pukchong", "Jade Sleet", "UNC4899" ], "source_name": "MISPGALAXY:TraderTraitor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "28523c53-1944-4ff0-bbdc-89b06e4e3c84", "created_at": "2024-11-01T02:00:52.752463Z", "updated_at": "2026-04-10T02:00:05.359782Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Moonstone Sleet", "Storm-1789" ], "source_name": "MITRE:Moonstone Sleet", "tools": [ "Qilin" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434634, "ts_updated_at": 1775826708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f05d1524424f5ec5484b5d0858fee86919307ec0.pdf", "text": "https://archive.orkl.eu/f05d1524424f5ec5484b5d0858fee86919307ec0.txt", "img": "https://archive.orkl.eu/f05d1524424f5ec5484b5d0858fee86919307ec0.jpg" } }