{
	"id": "c05bf66d-a818-49ba-b06e-8ccf07b0669c",
	"created_at": "2026-04-06T00:08:07.973033Z",
	"updated_at": "2026-04-10T03:20:23.267539Z",
	"deleted_at": null,
	"sha1_hash": "f912d3e708a84fdf3ddfbb6c3bc8a39e5f6793f0",
	"title": "GLOBAL Ransomware - New Tactics Revealed",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3410632,
	"plain_text": "GLOBAL Ransomware - New Tactics Revealed\r\nBy Written byJayden Palacios\r\nArchived: 2026-04-05 20:04:16 UTC\r\nSummary\r\nGLOBAL ransomware is a recently established Ransomware-as-a-Service (RaaS) group that surfaced in mid-2025\r\nbut is linked through OPSEC mistakes to earlier families such as Mamona and BlackLock. The operation is\r\nfinancially motivated and wants to attract as many affiliates as possible, offering high revenue shares, no entry\r\nfees, and an admin panel with AI-driven negotiation tools. Victimology shows a clear focus on healthcare and\r\nmanufacturing sectors where downtime creates maximum pressure to pay. GLOBAL offers cross-platform lockers\r\nwritten in C++, C, and Golang with enterprise-oriented features such as LDAP propagation, token impersonation,\r\nand configurable execution modes designed for speed and scalability. GLOBAL affiliates leverage Initial Access\r\nBrokers to streamline intrusions, which expands participation and attack volume. The group uses aggressive\r\nnegotiation tactics, ransom notes delivered across multiple vectors, and a Tor-hosted AI chatbot portal to manage\r\ncommunications.\r\nAnalysis\r\nOverview\r\nGLOBAL Ransomware, also known as the GLOBAL GROUP, is a Ransomware-as-a-Service (RaaS) group that\r\nfirst emerged in June 2025. Since then, it has claimed 32 victims on its tor data leak site (DLS). Over half of\r\nGLOBAL’s victims operate in the healthcare or manufacturing sectors, following a larger trend where cyber\r\nextortionists target industries that are heavily reliant on digital systems for business operations. In healthcare, this\r\ncan disrupt patient care and overall well-being, creating additional pressure on victims during ransom\r\nnegotiations. This also reveals the financial motivations of the group, targeting high value sectors that are more\r\nlikely to pay a ransom to resume normal operations.\r\nhttps://www.morado.io/blog-posts/global-ransomware---new-tactics-revealed\r\nPage 1 of 13\n\nMistakes in operational security (OPSEC) revealed that the group is a continuation of the Mamona and Blacklock\r\nransomware families. When first deploying its Tor DLS, GLOBAL used an insecure REST API on the frontend\r\nthat exposed an SSH connection field containing the true IP address of its backend infrastructure, 193.19.119[.]4.\r\nThis server is hosted by Russian VPS provider IPServer, the same hosting provider previously used by Mamona\r\nransomware. The clearest evidence, however, is the use of an identical mutex string, Global\\Fxo16jmdgujs437 ,\r\nfound in samples of both ransomware families. In addition, the same alias, $$$ , was used to advertise GLOBAL,\r\nMamona, and Blacklock ransomware lockers on the RAMP forum.\r\nForum posts advertising the RaaS use three languages; English, Russian, and Chinese. This indicates their desire\r\nto attract as many affiliates as possible as most RaaS advertisements only cater to English and Russian-speaking\r\nthreat actors. This is reflective of a shift in the cybercrime ecosystem where China-based threat actors are\r\nbeginning to contribute to the ransomware ecosystem. Furthermore, this may suggest GLOBAL intends to target\r\nChinese based organizations.\r\nGLOBAL operates in the same fashion as most RaaS groups. Affiliates are attracted using a high revenue share of\r\n85% for every ransom they extract from a victim. Currently, there is no fee to join GLOBAL’S affiliate program,\r\ngiving security researchers an opportunity to infiltrate the operation. GLOBAL offers an admin panel, enabling\r\naffiliates to conduct AI-assisted ransom negotiation chats, manage builds, and download decryptors.\r\nhttps://www.morado.io/blog-posts/global-ransomware---new-tactics-revealed\r\nPage 2 of 13\n\nOur investigation into this threat group uncovered a Windows locker sample written in C++. The file was located\r\nby searching open malware exchange platforms for GLOBAL’s DLS onion site, which is hardcoded into their\r\nlockers. Sandbox analysis of the sample revealed the full ransom note with instructions to access a negotiation\r\nchat room. We repeated this process for additional GLOBAL ransomware samples, providing insight into both\r\ntheir negotiation tactics and attack chain.\r\nThe malware itself targets Windows, ESXi environments, network-attached storage (NAS) devices, and BSD-based operating systems (FreeBSD, OpenBSD, NetBSD, etc.). The lockers are written in C++, C, and Golang,\r\nrespectively. Its authors employ anti-analysis techniques to prevent reverse engineering including debugger checks\r\nto prevent dynamic analysis and dead code to confuse disassemblers.\r\nKill Chain\r\nGLOBAL affiliates rely on Initial Access Brokers (IABs) to obtain footholds in victim networks, reflecting a lack\r\nof in-house expertise to perform the more technical intrusion work themselves. Rather than developing their own\r\ninitial access methods, they outsource access or purchase tools that simplify the process. Forum activity shows\r\nGLOBAL’s operator “$$$” interacting with the actor “HuanEbashes,” who was selling a $400 “Brute VPN” tool\r\ncapable of password-spraying Fortinet VPN, Palo Alto GlobalProtect, Cisco VPN, Outlook Web Access (OWA),\r\nand RDWeb. This behavior demonstrates how GLOBAL compensates for limited intrusion skills by turning to\r\nIABs or malicious tools sold by other threat actors to secure valid credentials and initial entry.\r\nAfter gaining initial access, the locker payload is deployed. The locker code includes extensive configuration and\r\nexecution controls. Strings from a GLOBAL locker sample built for Windows show support for multiple runtime\r\narguments such as -force , -detached , -threads , -delay , and -skip-net , allowing affiliates to customize\r\nencryption behavior for speed, stealth, or delayed execution times (payload activates encryption at specified time).\r\nThe malware can also toggle spreading modes with -ldap for Active Directory domain propagation and\r\nhttps://www.morado.io/blog-posts/global-ransomware---new-tactics-revealed\r\nPage 3 of 13\n\nimpersonation, indicating enterprise-focused design. Execution logs reference modes like Local + Network and\r\nPanic Mode , indicating the ability to rapidly encrypt all reachable storage in high-pressure scenarios.\r\nWhen GLOBAL engages in lateral movement primarily over LDAP, enabling domain-wide propagation in\r\nenterprise environments. The malware can operate with two distinct approaches: affiliates may supply direct\r\ndomain credentials to authenticate and spread across the network, or if credentials are not available, the malware\r\nattempts to impersonate the current user to continue propagation. It does this by invoking Windows API calls such\r\nas OpenProcessToken , DuplicateToken , and SetThreadToken to clone and apply a valid security token,\r\ngranting it the ability to act under the user’s context. This redundancy ensures execution, allowing GLOBAL to\r\nspread effectively whether or not valid credentials are on hand.\r\nGLOBAL affiliates engage in data theft prior to the encryption stage. Exfiltrated files are sent to a server under the\r\nthreat actor’s control, ensuring they still have leverage even if encryption fails. To obfuscate their entry point and\r\ndata servers, the attackers route this traffic through proxy servers and VPNs.\r\nBefore the locker payload is deployed, GLOBAL affiliates employ several defense evasion techniques to\r\nmaximize impact and reduce detection. The malware executes commands such as cmd.exe /c vssadmin delete\r\nshadows /all /quiet to remove Volume Shadow Copies and prevent easy recovery. It also attempts to terminate\r\nantivirus and endpoint detection and response (EDR) processes, then clears Windows Event Logs to hinder\r\nforensic analysis and incident response.\r\nFor encryption, the ransomware uses the ChaCha20-Poly1305 algorithm and prioritizes speed. Files less than\r\n5MB are fully encrypted and files greater than 5MB only have 20% of their file encrypted. Affiliates are able to\r\nuse custom file extensions for encrypted files with some affiliates using seemingly random strings. The malware\r\nalso uses multiple threads to encrypt multiple drives, directories, and files concurrently. As mentioned before,\r\noperators can configure their execution using command lines arguments that dictate what is encrypted, granting\r\ngreater control over potential encryption time. GLOBAL ransomware uses a unique mutex to determine if the\r\nmachine its executing on has already been encrypted. If the mutex exists on the machine, ransomware was already\r\nexecuted so the malware exits to avoid wasting time encrypting the data again. However, this can be overridden\r\nusing the -force flag.\r\nFinally, text files containing two different ransom notes are created. A short “stub” note is dropped across many\r\ndirectories, stating that files were encrypted and tells the user to visit the site and use the ID, but it does not\r\nhttps://www.morado.io/blog-posts/global-ransomware---new-tactics-revealed\r\nPage 4 of 13\n\ninclude the URL or the ID. This stub is hardcoded as plain text in the binary. The full ransom note, which includes\r\nthe Tor onion chat link and the unique victim ID, is written to the user’s Desktop and Documents folders.\r\nThe ransomware also attempts to print ransom notes on any available printers and replaces all desktop wallpapers\r\nwith a redacted version of the note. Morado identified a new version of the GLOBAL ransomware note. Both\r\nversions will be included alongside IOCs.\r\nhttps://www.morado.io/blog-posts/global-ransomware---new-tactics-revealed\r\nPage 5 of 13\n\nIn one negotiation, affiliates shared a high-level summary of their kill chain. Initial access was achieved through\r\nphishing that delivered a Remote Access Trojan (RAT), which created a remote connection to the infected host.\r\nPersistence was maintained by installing additional software configured to execute at startup and evade detection.\r\nThe actors conducted reconnaissance of the internal environment, enumerating servers, user accounts, and\r\npermissions. Privilege escalation was obtained by exploiting a system vulnerability to gain administrator rights,\r\nfollowed by lateral movement to compromise additional machines. Finally, data was exfiltrated to attacker-controlled servers, with proxy servers and VPNs used to obfuscate the exit points and external infrastructure.\r\nThis account directly supports the earlier analysis. The use of a RAT aligns with the type of access commonly sold\r\nby IABs, lateral movement matches observed LDAP-based propagation techniques, and the reliance on VPNs and\r\nproxies reinforces how affiliates conceal the location of their exfiltration servers.\r\nNegotiation Tactics\r\nOnce data is exfiltrated and encrypted, ransom negotiations are started. Victims are typically given three days to\r\nrespond before threatening to leak stolen data, but this slight varies by incident. Once negotiations begin, this\r\ngrace period is extended until a payment is made or no agreement is reached. GLOBAL affiliates have been seen\r\ndemanding ransom payments of over one million USD. In some chats, affiliates require victims to pay 50% of the\r\nransom demand upfront in order to continue negotiations. Payments are made via bitcoin. Affiliates work to\r\ninduce a sense of urgency using direct language alongside threats of data leakage leading reputational impact.\r\nThey use OSINT and compromised data to evoke a feeling of deep surveillance and knowledge of the victim’s\r\nbusiness operations, further pressuring a payment. Affiliates also state plainly that they only care about money,\r\nshowing clear financial motivations. Their negotiation strategy is aggressive, starting with extremely high\r\ndemands but conceding to most counter offers. In one case, a ransom was lowered by nearly 75% from the\r\noriginal price with no resistance from the affiliate, indicating flexibility designed to secure quick payments.\r\nThe FAQ within the portal expresses that GLOBAL provides decryption tools after successful payments, deletion\r\nof all data, technical support, and a security assessment. GLOBAL clearly wants to be viewed as trustworthy to\r\nconvince victims that paying a ransom is the best option. However, there is no way to confirm these claims and\r\nshould be assumed to be false like the claims of any cybercriminal.\r\nhttps://www.morado.io/blog-posts/global-ransomware---new-tactics-revealed\r\nPage 6 of 13\n\nConclusion\r\nGLOBAL ransomware represents the continued evolution of mid-tier RaaS operations into enterprise-focused\r\nthreats. The group has clear lineage to Mamona and BlackLock but distinguishes itself through multilingual\r\nrecruiting, AI-assisted negotiation tooling, and two-stage ransom note delivery. Its reliance on Initial Access\r\nBrokers and purchased attack tools lowers the barrier to entry, broadening affiliate participation and increasing\r\nattack volume.\r\nThe operation’s emphasis on rapid, configurable encryption and pre-encryption data theft creates significant\r\npressure on victims in healthcare and manufacturing, sectors already vulnerable to downtime. Combined with\r\naggressive negotiation tactics and flexible ransom demands, GLOBAL poses a significant threat to organizations\r\noperating in critical sectors.\r\nGiven its growth trajectory and focus on sectors with low tolerance for disruption, GLOBAL should be treated as\r\nan active and expanding threat. Defenders should expect campaigns leveraging IAB access, brute-force tooling,\r\nand opportunistic targeting of exposed enterprise services.\r\nRecommendations\r\nLimit and monitor LDAP services to reduce risk of domain-wide propagation.\r\nIsolate critical systems (e.g., healthcare or manufacturing control systems) from user endpoints to contain\r\npotential lateral movement. and reduce operational impact\r\nEnforce strict access controls, disable unused accounts, and use Just-in-Time (JIT) privileges to limit token\r\nabuse.\r\nContinuously assess exposure from Initial Access Brokers (IABs) by monitoring compromised credentials\r\nand stealer log markets within the Threatnote platform.\r\nhttps://www.morado.io/blog-posts/global-ransomware---new-tactics-revealed\r\nPage 7 of 13\n\nWatch for creation of the unique mutex string Global\\\\Fxo16jmdgujs437 or variants, which indicate\r\nexecution attempts.\r\nEnsure a backup strategy is in place, clearly outlined, and has been tested to verify its efficacy.\r\nRansom Notes\r\nOur investigation revealed a new, slightly modified, version of the previously known GLOBAL ransom note. Both\r\nare provided below.\r\nNew GLOBAL Ransom Note\r\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\r\n Your network has been compromised by GLOBAL Group\r\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\r\nAll important files are now inaccessible. They have been locked using\r\nmilitary-grade encryption. Only GLOBAL holds the decryption keys.\r\n\u003e\u003e\u003e What happened? \u003c\u003c\u003c\r\n=======================\r\nWe gained full access to your network. Sensitive data was exfiltrated\r\nand your systems were encrypted. Your business operations and customer\r\ndata are at risk.\r\n\u003e\u003e\u003e What comes next? \u003c\u003c\u003c\r\n=========================\r\nTo restore access:\r\n1. Download Tor Browser (https://www.torproject.org/)\r\n2. Visit our portal: gdbkvfe6g3whrzkdlbytksygk45zwgmnzh5i2xmqyo3mrpipysjagqyd.onion/chat/{redacted\r\nslug}\r\n3. Enter your ID: \u003e\u003e\u003e {redacted chat room password}\u003c\u003c\u003c\r\n4. Follow instructions to begin negotiations.\r\nYou may submit one small file (\u003c1MB) for free decryption as proof.\r\nWe will send you a file-listing proving we have stolen your data.\r\n\u003e\u003e\u003e FAILURE TO ENGAGE WITHIN 7 DAYS RESULTS IN: \u003c\u003c\u003c\r\n=====================================================\r\n- Public release of your documents\r\n- Irreversible loss of encrypted data\r\n- Escalation to wider leak network\r\n- Permanent reputation damage\r\nhttps://www.morado.io/blog-posts/global-ransomware---new-tactics-revealed\r\nPage 8 of 13\n\nDo not contact recovery services - they cannot help.\r\nDo not waste time with third-party tools or law enforcement.\r\nDo not tamper with encrypted files - you may corrupt them.\r\nThis is just business.\r\nData Leak Site: http://vg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id.onion/\r\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\r\n       **GLOBAL operates globally.**\r\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\r\nOld GLOBAL Ransom Note\r\nGLOBAL\r\nYour network has been encrypted.\r\nAll of your important files — documents, databases, backups, and configurations are now inaccessible.\r\nThey have been locked using military-grade encryption. Only GLOBAL holds the decryption keys.\r\nWhat happened?\r\n-------------------------\r\nWe have gained full access to your internal network. During this time, sensitive data was exfiltrated\r\nand your systems were encrypted.\r\nYour business operations, internal communications, and customer data are at risk.\r\nWhat comes next?\r\n-------------------------\r\nTo restore access:\r\n1. Download the Tor Browser (https://www.torproject.org/)\r\n2. Visit our secure portal:\r\ngdbkvfe6g3whrzkdlbytksygk45zwgmnzh5i2xmqyo3mrpipysjagqyd.onion/chat/{redeacted slug}\r\n3. Enter your unique ID: {redacted chat room password}\r\n4. Follow the instructions to begin negotiations.\r\nYou may submit one small file (\u003c1MB, non-sensitive) for free decryption as proof we hold the keys.\r\nWe will also send you a file-listing to prove to you that we have stolen your data.\r\nFailure to engage within 3 days will result in:\r\n- Public release of your internal documents\r\n- Irreversible loss of your encrypted data\r\n- Escalation of your case to a wider leak network\r\nhttps://www.morado.io/blog-posts/global-ransomware---new-tactics-revealed\r\nPage 9 of 13\n\nThere is no other way. Do not waste time with third-party tools or law enforcement.\r\nYou will only make things worse.\r\nThis is not personal. Just business.\r\nData Leak Site - http://vg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id.onion/\r\n**GLOBAL operates globally.**\r\nIOCs\r\nType Value Note\r\nFileHash-SHA256\r\n23b43226d53e2c8cd9519d785ba75b833fbd11939cd1d70999f84c1365b2da5d\r\nRansomware\r\nexecutable\r\nFileHash-SHA256\r\n1d5bd6014a9c37e06b0c02b29eaed53725c9abf8be57bed0151c5599af3e3f4d\r\nOld Ransom\r\nNote\r\nFileHash-SHA256\r\n791ecebd558390e04c96fc86e995bfb0240d601ca2d4d183fa5e0d16a6358e39\r\nNew\r\nRansom\r\nNote\r\nOnion\r\nURL\r\nhttp://gdbkvfe6g3whrzkdlbytksygk45zwgmnzh5i2xmqyo3mrpipysjagqyd.onion\r\nVictim\r\nPortal\r\nOnion\r\nURL\r\nhttp://vg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id.onion/ DLS\r\nString \"Global\\Fxo16jmdgujs437\"\r\nUnique\r\nMutex Used\r\nFileHash-SHA256\r\nb5e811d7c104ce8dd2509f809a80932540a21ada0ee9e22ac61d080dc0bd237d\r\nRansomware\r\nSample\r\nFileHash-SHA256\r\n232f86e26ced211630957baffcd36dd3bcd6a786f3d307127e1ea9a8b31c199f\r\nRansomware\r\nSample\r\nFileHash-SHA256\r\n28f3de066878cb710fe5d44f7e11f65f25328beff953e00587ffeb5ac4b2faa8\r\nRansomware\r\nSample\r\nFileHash-SHA256\r\n1f6640102f6472523830d69630def669dc3433bbb1c0e6183458bd792d420f8e\r\nRansomware\r\nSample\r\nFileHash-SHA256\r\n232f86e26ced211630957baffcd36dd3bcd6a786f3d307127e1ea9a8b31c199f\r\nRansomware\r\nSample\r\nhttps://www.morado.io/blog-posts/global-ransomware---new-tactics-revealed\r\nPage 10 of 13\n\nType Value Note\r\nFileHash-SHA256\r\na8c28bd6f0f1fe6a9b880400853fc86e46d87b69565ef15d8ab757979cd2cc73\r\nRansomware\r\nSample\r\nTTPs\r\nTactic Technique Subtechnique\r\nTA0001: Initial Access\r\nT1190: Exploit Public-Facing\r\nApplication\r\nT1133: External Remote Services\r\nT1078: Valid Accounts T1078.001: Default Accounts\r\nT1078: Valid Accounts T1078.002: Domain Accounts\r\nTA0002: Execution\r\nT1059: Command and Scripting\r\nInterpreter\r\nT1059.001: PowerShell\r\nT1203: Exploitation for Client Execution\r\nT1053: Scheduled Task/Job\r\nT1569: System Services T1569.002: Service Execution\r\nT1047: Windows Management\r\nInstrumentation\r\nT1106: Native API\r\nTA0003: Persistence T1543: Create or Modify System Process T1543.003: Windows Service\r\nT1133: External Remote Services\r\nT1053: Scheduled Task/Job\r\nT1078: Valid Accounts T1078.001: Default Accounts\r\nT1078: Valid Accounts T1078.002: Domain Accounts\r\nTA0004: Privilege\r\nEscalation\r\nT1543: Create or Modify System Process T1543.003: Windows Service\r\nT1068: Exploitation for Privilege\r\nEscalation\r\nhttps://www.morado.io/blog-posts/global-ransomware---new-tactics-revealed\r\nPage 11 of 13\n\nTactic Technique Subtechnique\r\nT1053: Scheduled Task/Job\r\nT1078: Valid Accounts T1078.001: Default Accounts\r\nT1078: Valid Accounts T1078.002: Domain Accounts\r\nT1134: Access Token Manipulation\r\nT1134.001: Token\r\nImpersonation/Theft\r\nTA0005: Defense\r\nEvasion\r\nT1480: Execution Guardrails T1480.002: Mutual Exclusion\r\nT1562: Impair Defenses\r\nT1562.001: Disable or Modify\r\nTools\r\nT1656: Impersonation\r\nT1070: Indicator Removal\r\nT1070.001: Clear Windows Event\r\nLogs\r\nT1036: Masquerading\r\nT1027: Obfuscated Files or Information\r\nT1027.013: Encrypted/Encoded\r\nFile\r\nT1078: Valid Accounts T1078.001: Default Accounts\r\nT1078: Valid Accounts T1078.002: Domain Accounts\r\nT1134: Access Token Manipulation\r\nT1134.001: Token\r\nImpersonation/Theft\r\nT1622: Debugger Evasion\r\nT1497: Virtualization/Sandbox Evasion T1497.003: Time Based Evasion\r\nTA0006: Credential\r\nAccess\r\nT1110: Brute Force\r\nTA0007: Discovery T1083: File and Directory Discovery\r\nT1046: Network Service Discovery\r\nT1135: Network Share Discovery\r\nT1057: Process Discovery\r\nhttps://www.morado.io/blog-posts/global-ransomware---new-tactics-revealed\r\nPage 12 of 13\n\nTactic Technique Subtechnique\r\nT1016: System Network Configuration\r\nDiscovery\r\nTA0008: Lateral\r\nMovement\r\nT1021: Remote Services\r\nT1021.001: Remote Desktop\r\nProtocol\r\nT1021: Remote Services\r\nT1021.002: SMB/Windows Admin\r\nShares\r\nTA0011: Command and\r\nControl\r\nT1105: Ingress Tool Transfer\r\nTA0010: Exfiltration T1020: Automated Exfiltration\r\nT1041: Exfiltration Over C2 Channel\r\nT1567: Exfiltration Over Web Service\r\nT1567.002: Exfiltration to Cloud\r\nStorage\r\nTA0040: Impact T1486: Data Encrypted for Impact\r\nT1657: Financial Theft\r\nT1490: Inhibit System Recovery\r\nT1489: Service Stop\r\nSource: https://www.morado.io/blog-posts/global-ransomware---new-tactics-revealed\r\nhttps://www.morado.io/blog-posts/global-ransomware---new-tactics-revealed\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.morado.io/blog-posts/global-ransomware---new-tactics-revealed"
	],
	"report_names": [
		"global-ransomware---new-tactics-revealed"
	],
	"threat_actors": [],
	"ts_created_at": 1775434087,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f912d3e708a84fdf3ddfbb6c3bc8a39e5f6793f0.pdf",
		"text": "https://archive.orkl.eu/f912d3e708a84fdf3ddfbb6c3bc8a39e5f6793f0.txt",
		"img": "https://archive.orkl.eu/f912d3e708a84fdf3ddfbb6c3bc8a39e5f6793f0.jpg"
	}
}