{
	"id": "c7e48f0b-d790-4a8a-b934-e49ea97ad95b",
	"created_at": "2026-04-06T00:11:17.24247Z",
	"updated_at": "2026-04-10T03:21:17.637474Z",
	"deleted_at": null,
	"sha1_hash": "f54160147f4284467cdadf4f4cb3b5e85646500c",
	"title": "Spear Phishing Campaign Delivers Buer \u0026 Bazar | Zscaler Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1249850,
	"plain_text": "Spear Phishing Campaign Delivers Buer \u0026 Bazar | Zscaler Blog\r\nBy Mohd Sadique, Atinderpal Singh\r\nPublished: 2020-09-29 · Archived: 2026-04-05 16:56:43 UTC\r\nZscaler ThreatLabZ became aware of a prevalent phishing campaign targeting employees of various\r\norganizations. During the past couple of weeks, many enterprise users have been getting spear phishing emails\r\nindicating that their employment with the company has been terminated.\r\nThese emails contain a Google document link that leads to the Bazar backdoor (from the TrickBot gang). What's\r\ninteresting is that this campaign also used the Buer loader, which is the first time we have seen these two malware\r\nstrains used together.\r\nUse of the Buer loader by the TrickBot gang comes as no surprise as this group is known to work with different\r\nmalware groups. In the past, the TrickBot gang has also worked with other botnets, such as Emotet. \r\nCampaign\r\nIn this email campaign, instead of relying on attachments, the attackers included links to what appeared to be a\r\nlegitimate Google Docs document, which itself contained links to malicious files hosted on Google Drive or, in\r\nsome cases, hosted elsewhere. In some previous phishing email campaigns, attackers leveraged SendGrid to\r\ndistribute the initial emails to hide the Google Drive links in the documents behind a SendGrid URL as a way to\r\nbypass traditional defences.\r\nSamples of emails that we have seen are shown in Figure 1 and Figure 2.\r\nhttps://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware\r\nPage 1 of 15\n\nFigure 1: One of the spear phishing email templates targeting an employee.\r\nFigure 2: Another spear phishing email template\r\nThe link in both emails is a Google Docs link claiming to host a PDF file with a list of employees that have\r\nbeen terminated, as shown in Figure 3.\r\nFigure 3: The link to the fake Google Doc containing the download link.\r\nThe link in the Google Doc redirects to the URL unitedyfl[.]com/print_preview.exe to download the malware\r\npayload.\r\nAlthough, the use of target names with actuating themes is not new to this group, there has been a significant\r\nuptick in the number of emails received and this campaign has been persistently active for the past few weeks.\r\nPacker\r\nIn most cases, the payload that is downloaded is the Bazar malware but, in some cases, it is the Buer loader. The\r\npacker used in both malware payloads is identical. Most notably, the packed binaries are exe files with a randomly\r\nhttps://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware\r\nPage 2 of 15\n\nnamed export function. The export function is responsible for payload decryption and injection. \r\nFirst, a shellcode is decrypted, which further decrypts a headerless PE loader that has the final payload in its\r\noverlay. The headersless loader allocates memory, maps the payload into memory with proper permissions, and\r\nfinally transfers control to it. In this campaign, no process self-injection is used to load the payload.\r\nFigure 4: The decrypted header less PE loader.\r\nFigure 5: The payload embedded at the end of the loader.\r\nBazar loader and Bazar backdoor\r\nhttps://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware\r\nPage 3 of 15\n\nThe Bazar backdoor is a new stealthy malware, part of the TrickBot group’s toolkit arsenal and leveraged for high-value targets. The Bazar loader is used to download and execute the Bazar backdoor on the target system. The\r\ngoal of this backdoor is to execute binaries, scripts, modules, kill processes, and then remove itself from the\r\ncompromised machine. The samples used in this campaign heavily rely on control flow obfuscation. The detailed\r\nanalysis report about this backdoor can be found here.\r\nThe Bazar loader downloads the Bazar backdoor from the C\u0026C using the following URI format:\r\n{C\u0026C}/api/v\\d{3}\r\nThe downloaded payload is XOR-encrypted and can be decrypted using the script provided in the appendix. \r\nThe downloaded malware was successfully captured by the Zscaler Cloud Sandbox:\r\nFigure 6: The Zscaler Cloud Sandbox report.\r\nThe C\u0026C TLS communications of the Bazar backdoor have been using certificates created in the same manner\r\nhttps://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware\r\nPage 4 of 15\n\nthat TrickBot certificates have been created. The C\u0026C server TLS certificate is shown in Figure 7.\r\nFigure 7: The Bazar/TrickBot TLS certificate.\r\nResearchers also observed that the backdoor downloads and executes the Cobalt Strike pentesting and post-exploitation toolkit on the victim's machine within some period of time after the infection. By deploying Cobalt\r\nStrike, it is clear that this stealthy backdoor is being used to gain a foothold in corporate networks so that\r\nransomware can be deployed, data can be stolen, or network access could be sold to other threat actors.\r\nBuer loader\r\nThe Buer loader was first discovered around the end of 2019. It is a very capable malware written in C and\r\nprimarily sold on Russian underground forums for around US$400. Notably, this malware does not function in the\r\nCIS. It has most of the important strings encrypted and APIs are loaded by hash, just like most of the sophisticated\r\nmalware these days. We are not going to go into technical details because detailed analysis of this has already\r\npublished.\r\nThe Buer loader was captured by the Zscaler Cloud Sandbox.\r\nhttps://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware\r\nPage 5 of 15\n\nFigure 8: The Zscaler Cloud Sandbox report for the Buer loader.\r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various\r\nlevels:\r\nWin32.Trojan.Buerloader\r\nWin32.Backdoor.Bazar\r\nConclusion\r\nThe TrickBot group has been running similarly themed campaigns for some time. The targeted nature of the\r\ncampaign with subject lines having the organization’s name makes these campaign’s highly effective compared to\r\ngeneric spray-and-pray attacks. But even these specially crafted attacks are not immune from a pair of vigilant\r\neyes and the right set of tools. We at Zscaler ThreatLabZ are always on the lookout for bad stuff—be it for our\r\ncompany or for our customers—to provide protection against it.\r\nLast but not the least, always be attentive while opening any email links or attachments. Even if there is a tiny bit\r\nof suspicion, verify the email or get it reviewed thoroughly by your security team before proceeding further.\r\nIOCs\r\nMD5\r\nhttps://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware\r\nPage 6 of 15\n\nFa0322fb70610d6e67585588184eda39 (Buer loader)\r\n06f42898d5b2303c0b455d3152ced044 (Bazar loader)\r\n04a20c9f33023439b612935b6901917f (Bazar loader)\r\n951acc18e4f14471f49235327e0c1ccc (Bazar loader)\r\n4bb9a709958a1790a6bc257a9b5cb48e (Bazar loader)\r\n03e699324d06bd3d597994f5df893048 (Bazar backdoor group: t1)\r\nDistribution and document URLs \r\nhttp://unitedyfl[.]com/print_preview.exe\r\nhttps://docs.google[.]com/document/u/1/d/e/2PACX-1vTwnIt9tXcgRxaOME9G3yErRp50dGxW1EKoTeIAYZwkMEg4j8fOpU9kP7xMJ6pufKfzsoETJwX5ZMM5/pub\r\nhttps://docs.google[.]com/document/u/1/d/e/2PACX-1vSE2BfEV4tOmHOpMzeBhWbyajWwjxajBvm1YpJSRWyDL-qXbnSsu-OHhyuT2Y4mbZ72uPT9uToZWvo2/pub\r\nhttps://docs.google[.]com/document/u/1/d/e/2PACX-1vTCf1OgjnHoaohnZ0BMwCFRU62HyC85BfeiX7NGPiwvrqr8P-_-Y_5Mab9wAJjCIcldWv8wvKVXFuiK/pub\r\nhttps://docs.google[.]com/document/d/e/2PACX-1vQ4MCpbsYfwekk44caru7p05aOKswFPvyQNsyow1Qfg1exHrGZHaqOmWcnSeAxmDK2V1i3ml9DP8kYT/pub\r\nhttps://docs.google[.]com/document/d/e/2PACX-1vRl0GvrO4JO8Rs4v1BTtXmsMThv1M413Z14onQl-TkrsXZEOOr1zF8gKu3GDOwFBN0kaw5g7oC7lbIE/pub\r\nhttps://docs.google[.]com/document/d/e/2PACX-1vR0NwqguWEFX4ZilvsxKSaJQbUfXpfK5fvWxbxUBJfPzbmvGuxHS7bltp9cjpJ0RvrvdlAxeKpSjDKQ/pub\r\nC\u0026C\r\nBuer loader\r\n104.248.83[.]13\r\nBazar loader\r\n164.68.107[.]165\r\n91.235.129[.]64\r\n37.220.6[.]126\r\n195.123.241[.]194\r\nhttps://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware\r\nPage 7 of 15\n\n82.146.37[.]128\r\n85.143.221[.]85\r\n164.132.76[.]76\r\n54.37.237[.]253\r\nSome of the URIs seen in this campaign include\r\n/api/v190 - Download Updated Bazar loader(64 - bit)\r\n/api/v192 - Download Bazar backdoor(64 - bit)\r\n/api/v202 - (Server did not respond with payload at the time of analysis)\r\n/api/v207 - (Server did not respond with payload at the time of analysis)\r\nPDB string\r\nc:\\Users\\Mr.Anderson\\Documents\\Visual Studio 2008\\Projects\\Anderson\\x64\\Release\\Anderson.pdb\r\nSome of the subject lines observed\r\nRe: {Target Company Name} termination list\r\nRe: {Target Company Name} avoiding\r\nFW: Urgent: {Target Company Name}: A Customer Complaint Request – Prompt Action Required\r\nRE: FYI: {Target Company Name} Employees Termination List – Confirmation Required\r\nRe: complaint request\r\nRe: my call, {Target Company Name}.\r\nRe: {Target Company Name} - my visit\r\nRe: can't call you\r\nMITRE ATT\u0026CK \r\nhttps://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware\r\nPage 8 of 15\n\nID Technique\r\nT1566.002 Phishing: Spearphishing Link\r\nT1566.003 Phishing: Spearphishing via Service\r\nT1204.001 User Execution: Malicious Link\r\nT1204.002 User Execution: Malicious File\r\nT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nT1055.013 Process Injection: Process Doppelgänging\r\nT1055.012 Process Injection: Process Hollowing\r\nT1027.002 Obfuscated Files or Information: Software Packing\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1036.005 Masquerading: Match Legitimate Name or Location\r\nT1087 Account Discovery\r\nT1010 Application Window Discovery\r\nT1083 File and Directory Discovery\r\nT1057 Process Discovery\r\nhttps://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware\r\nPage 9 of 15\n\nT1012 Query Registry\r\nT1018 Remote System Discovery\r\nT1082 System Information Discovery\r\nT1033 System Owner/User Discovery\r\nT1124 System Time Discovery\r\nT1119 Automated Collection\r\nT1005 Data from Local System\r\nT1053.002 Scheduled Task/Job: At (Windows)\r\nT1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nT1568.002 Dynamic Resolution: Domain Generation Algorithms\r\nT1020 Automated Exfiltration\r\nT1041 Exfiltration Over C2 Channel\r\nT1568.002 Dynamic Resolution: Domain Generation Algorithms\r\nAppendix\r\nhttps://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware\r\nPage 10 of 15\n\nScript to decrypt downloaded Bazar backdoor\r\nkey = \"20200915\"\r\ndata = open(\"v190\", 'rb').read()\r\nout = \"\"\r\nfor i in range(len(data)):\r\n out += chr(ord(data[i]) ^ ord(key[i%len(key)]))\r\nof = open('dec1', 'wb')\r\nof.write(out)\r\nof.close()\r\n#Note: Key can vary between downloader samples\r\nBuer strings\r\nUc3nakqfdpmcFjc\r\npowershell.exe -Command \"\u0026 {Add-MpPreference -ExclusionPath\r\nupdate\r\nKdc23icmQoc21f\r\nopen\r\n.dll\r\nrundll32\r\nregsvr32\r\npowershell.exe \"-Command\" \"if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope\r\n%02x\r\nPOST\r\nContent-Type: application/x-www-form-urlencoded\r\nrunas\r\n%s, \"%s\"\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\n{%s-%d-%d}\r\nntdll.dll\r\nmyyux?44659379=3=83684\r\nmyyux?44659379=3=83684\r\nmyyux?44659379=3=83684\r\nmyyux?44659379=3=83684\r\nmyyux?44659379=3=83684\r\nUndefinedTypeError\u003e\u003e1I5480%C9#5=O=B8\r\nhd0OkaN3/Iqc7_Kdh\r\nsecinit.exe\r\nfalse\r\ntrue\r\nnull\r\nhttps://104.248.83.13/\r\napi/update/\r\nhttps://104.248.83.13/\r\nhttps://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware\r\nPage 11 of 15\n\napi/update/\r\nX4OIvcO7uWS\r\nupdate\r\nstatusCode\r\nAccessToken\r\nmethod\r\nx64\r\nexelocal\r\nmemload\r\nmemloadex\r\napi/download/\r\napi/downloadmodule/\r\ndownload_and_exec\r\ndownload_and_exec\r\nregsrv32\r\nrundll\r\nrundllex\r\nparameters\r\nautorun\r\nexplorer.exe\r\napi/module/\r\nmodules\r\nloaddllmem\r\nAdmin\r\nUser\r\nWindows 10\r\nWindows Server 2019/Server 2016\r\nWindows 8.1\r\nWindows Server 2012 R2\r\nWindows 8\r\nWindows Server 2012\r\nWindows 7\r\nWindows Server 2008 R2\r\nWindows XP\r\nSQCP]ICW\r\nX4OIvcO7uWS\r\nUnknown\r\nx32\r\nx64\r\nLdrLoadDll\r\nRtlCreateUserThread\r\nLdrGetProcedureAddress\r\nRtlFreeUnicodeString\r\nRtlAnsiStringToUnicodeString\r\nRtlInitAnsiString\r\nMozilla/5.0 (Apple-iPhone7C2/1202.466; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko\r\nX4OIvcO7uWS\r\nhttps://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware\r\nPage 12 of 15\n\ndllhost.exe\r\ndllhost.exe\r\nSoftware\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\r\nShell\r\nopen\r\nakb,cvc\r\n%ALLUSERSPROFILE%\r\nOstersin\r\n\\AutoReg.exe\r\n\" ensgJJ\r\nensgJJ\r\nexplorer.exe\r\nsecinit.exe\r\nshell32.dll\r\nWinhttp.dll\r\nadvapi32.dll\r\nuser32.dll\r\nnetapi32.dll\r\nNtWriteVirtualMemory\r\nLr?jjma_rcTgprs_jKckmpw\r\nJbpEcrNpmacbspc?bbpcqq\r\nLrOscpwTgprs_jKckmpw\r\nLrDpccTgprs_jKckmpw\r\nLrNpmrcarTgprs_jKckmpw\r\nLrPc_bTgprs_jKckmpw\r\nLrEcrAmlrcvrRfpc_b\r\nLrQcrAmlrcvrRfpc_b\r\nBuer loader API hashes and corresponding API names\r\n0x69f7df2a -\u003e advapi32_GetTokenInformation\r\n0xe79d18d6 -\u003e kernel32_OpenProcessToken\r\n0x47979a8f -\u003e advapi32_GetCurrentHwProfileW\r\n0x19e1e0c2 -\u003e kernel32_RegCreateKeyExW\r\n0xd45f73b5 -\u003e kernel32_RegCloseKey\r\n0xcb5998e2 -\u003e kernel32_RegSetValueExW\r\n0xce636ff5 -\u003e advapi32_GetSidSubAuthority\r\n0xaf7f658e -\u003e winhttp_WinHttpOpen\r\n0x20b4c051 -\u003e winhttp_WinHttpSetTimeouts\r\n0x8ef04f02 -\u003e winhttp_WinHttpCrackUrl\r\n0x9f47a05e -\u003e winhttp_WinHttpConnect\r\n0x1dd1d38d -\u003e winhttp_WinHttpOpenRequest\r\n0x26d17a4e -\u003e winhttp_WinHttpSendRequest\r\n0xb20e6a35 -\u003e winhttp_WinHttpGetIEProxyConfigForCurrentUser\r\n0x1ef97964 -\u003e winhttp_WinHttpGetProxyForUrl\r\nhttps://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware\r\nPage 13 of 15\n\n0x8678c3f6 -\u003e winhttp_WinHttpSetOption\r\n0xea74138b -\u003e winhttp_WinHttpWriteData\r\n0x80cc5bd7 -\u003e winhttp_WinHttpReadData\r\n0x6c3f3920 -\u003e winhttp_WinHttpReceiveResponse\r\n0xde67ac3c -\u003e winhttp_WinHttpQueryHeaders\r\n0x710832cd -\u003e winhttp_WinHttpQueryDataAvailable\r\n0x9964b3dc -\u003e winhttp_WinHttpCloseHandle\r\n0x302ebe1c -\u003e kernel32_VirtualAlloc\r\n0x4247bc72 -\u003e kernel32_VirtualQuery\r\n0x1803b7e3 -\u003e kernel32_VirtualProtect\r\n0x1a4b89aa -\u003e kernel32_GetCurrentProcess\r\n0x8a8b4676 -\u003e kernel32_LoadLibraryA\r\n0x1acaee7a -\u003e kernel32_GetProcAddress\r\n0x61eebd02 -\u003e kernel32_GetModuleHandleW\r\n0x8a8b468c -\u003e kernel32_LoadLibraryW\r\n0xab489125 -\u003e kernel32_GetNativeSystemInfo\r\n0x34590d2e -\u003e kernel32_GetLastError\r\n0x5b3716c6 -\u003e kernel32_GlobalFree\r\n0xe183277b -\u003e kernel32_VirtualFree\r\n0x62f1df50 -\u003e kernel32_VirtualFreeEx\r\n0xdd78764 -\u003e kernel32_VirtualAllocEx\r\n0xf3cf5f6f -\u003e kernel32_GetModuleFileNameW\r\n0xae7a8bda -\u003e kernel32_CloseHandle\r\n0x29e91ba6 -\u003e kernel32_HeapSize\r\n0xe3802c0b -\u003e kernel32_HeapAlloc\r\n0x864bde7e -\u003e kernel32_GetProcessHeap\r\n0x12dfcc4e -\u003e kernel32_ExitProcess\r\n0x7722b4b -\u003e kernel32_TerminateProcess\r\n0xb4f0f46f -\u003e kernel32_CreateProcessW\r\n0xff5ec2ce -\u003e kernel32_ExitThread\r\n0x4b3e6161 -\u003e kernel32_TerminateThread\r\n0xed619452 -\u003e kernel32_CreateMutexW\r\n0x7bffe25e -\u003e kernel32_OpenMutexW\r\n0xf785ce6 -\u003e kernel32_ReadFile\r\n0xe6886cef -\u003e kernel32_WriteFile\r\n0x1a7f0bab -\u003e kernel32_CreateFileW\r\n0xbdfa937d -\u003e kernel32_GetFileSize\r\n0x617ea42b -\u003e kernel32_DeleteFileW\r\n0x6659de75 -\u003e kernel32_WriteProcessMemory\r\n0xc56e656d -\u003e kernel32_GetCommandLineW\r\n0x78c1ba50 -\u003e kernel32_ExpandEnvironmentStringsW\r\n0x2e0ccb63 -\u003e kernel32_CreateDirectoryW\r\n0x5c62ca81 -\u003e kernel32_WaitForSingleObject\r\n0x8edf8b90 -\u003e kernel32_OpenProcess\r\n0x8a62152f -\u003e kernel32_CreateToolhelp32Snapshot\r\n0xc9112e01 -\u003e kernel32_Process32NextW\r\n0x63f6889c -\u003e kernel32_Process32FirstW\r\nhttps://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware\r\nPage 14 of 15\n\n0x4b9358fc -\u003e kernel32_DuplicateHandle\r\n0x24e2968d -\u003e kernel32_GetComputerNameW\r\n0x110e739a -\u003e kernel32_GetVolumeInformationW\r\n0xf7643b99 -\u003e kernel32_GetThreadContext\r\n0x3cc73360 -\u003e kernel32_ResumeThread\r\n0x77643b9b -\u003e kernel32_SetThreadContext\r\n0x1c2c653b -\u003e ntdll_memset\r\n0x1c846140 -\u003e ntdll_memcpy\r\n0x932d8a1a -\u003e ntdll_NtDelayExecution\r\n0x9716d04e -\u003e ntdll_NtReleaseMutant\r\n0x6f7f7a64 -\u003e ntdll_RtlGetVersion\r\n0x996cc394 -\u003e ntdll_ZwUnmapViewOfSection\r\n0xabf93436 -\u003e ntdll_strtoul\r\n0x2bd04fd1 -\u003e ntdll_iswctype\r\n0x26a5553c -\u003e ntdll_strstr\r\n0x4117fd0e -\u003e ntdll_NtQueryDefaultLocale\r\n0xd24c9118 -\u003e ntdll_RtlCreateUserThread\r\n0xd52ff865 -\u003e ntdll_NtQueryVirtualMemory\r\n0x339c09fb -\u003e ntdll_NtQueryInformationProcess\r\n0x6a13016e -\u003e ntdll_NtSetInformationThread\r\n0x6debaaa9 -\u003e ntdll_NtFilterToken\r\n0xd584ba6c -\u003e shell32_SHGetFolderPathW\r\n0x375eadf4 -\u003e shell32_CommandLineToArgvW\r\n0xba1eb35b -\u003e shell32_ShellExecuteW\r\n0xf674afe0 -\u003e user32_wsprintfW\r\nReferences\r\nhttps://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/\r\nhttps://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html\r\nhttps://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware\r\nhttps://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware"
	],
	"report_names": [
		"spear-phishing-campaign-delivers-buer-and-bazar-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434277,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f54160147f4284467cdadf4f4cb3b5e85646500c.pdf",
		"text": "https://archive.orkl.eu/f54160147f4284467cdadf4f4cb3b5e85646500c.txt",
		"img": "https://archive.orkl.eu/f54160147f4284467cdadf4f4cb3b5e85646500c.jpg"
	}
}