################################################################ # ThreatFox IOCs: Suricata rules # # Last updated: 2026-03-07 11:09:15 UTC # # # # Terms Of Use: https://threatfox.abuse.ch/faq/#tos # # For questions please contact threatfox [at] abuse.ch # ################################################################ # alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"neo-f0re5t.bluecrest.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760883/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760883; rev:1;) alert tcp $HOME_NET any -> [85.209.231.90] 7007 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760882/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0qbwh6hprn.localto.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760881/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imprisso-eg.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760880/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webcottages.co.uk"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760879/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yourgymstory.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760878/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kooshangallery.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760877/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proonepersan.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760876/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lapdatcameravhb.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760875/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"drifstac.bluecrest.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760874/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"un1te3-trace.bluecrest.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760873/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ship-spark.redcrest.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760872/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hill-ciphe.redcrest.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760871/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vor-valeal.redcrest.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760870/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maheshwaristerling.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760869/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vorven0a.redcrest.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760868/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"solidcarg.getreplay.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760867/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"crafshi.getreplay.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760866/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"geneexp.getreplay.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760865/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"73rgwdew.getreplay.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760864/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maheradadaprinting.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760863/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w5iqlr.automodglass.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760862/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fjmlw8.automodglass.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760861/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"visualstock.automodglass.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760860/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"normark5or.automodglass.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760859/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"neo-5ound.caseoptional.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760858/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sol-nexex.caseoptional.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760857/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"passiveasset.caseoptional.in.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760855/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"magroplast.ba"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760854/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ki540.caseoptional.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760853/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lgjzs62i.rockexcellent.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760852/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lumcore6en.rockexcellent.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760851/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"luxabco.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760850/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"i1lum-flow.rockexcellent.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760849/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"invoicetiny.rockexcellent.in.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760848/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xib3i7ay.budenowcvolt.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760847/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0a6nq1j0.budenowcvolt.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760846/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"trispireum7.dancingvck.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760845/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cargo9-stack.dancingvck.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760843/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stone3-lab.dancingvck.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760842/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ca1m-graph.reinsurunrock.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760840/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760840; rev:1;) alert tcp $HOME_NET any -> [58.244.40.102] 10001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760839/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"unit-gri.reinsurunrock.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760838/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760838; rev:1;) alert tcp $HOME_NET any -> [93.232.101.177] 82 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760837/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760837; rev:1;) alert tcp $HOME_NET any -> [221.211.177.152] 5944 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760836/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760836; rev:1;) alert tcp $HOME_NET any -> [18.97.21.97] 57143 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760835/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"filmkenti.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760834/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760834; rev:1;) alert tcp $HOME_NET any -> [20.100.168.21] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760833/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760833; rev:1;) alert tcp $HOME_NET any -> [185.241.208.173] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760832/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"magicvision.ca"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760831/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mh738ng0.reinsurunrock.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760830/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zendra2is.reinsurunrock.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760829/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"thorntrue.draniercismn.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760828/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n3ural-mark.draniercismn.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760827/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coralwil.draniercismn.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760826/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"misfinal.draniercismn.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760825/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2nyix.albaniangun.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760824/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittiemc.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760583/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuttiesmp.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760584/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sweetiecraft.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760585/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cherriecraft.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760586/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greatsmp.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760587/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittieslandmc.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760588/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittypixel.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760589/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ragnacook.site"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760590/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittysmp.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760591/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cutiemc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760592/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittiensmc.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760593/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sanriomc.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760594/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sanriomc.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760595/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittlycraft.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760596/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittensmp.site"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760598/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittlycraft.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760597/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hellokittymc.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760599/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kitllycraft.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760600/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hellokittysmc.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760601/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vrcmodz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760602/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittiescraft.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760604/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.uwucraft.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760603/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.sweet-craft.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760605/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sugarsmp.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760606/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sweetkittycraft.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760607/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kitseramc.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760608/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"purfall.games"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760609/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittenscraft.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760610/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yagiz.art"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760611/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neekocraft.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760612/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sweetcraft.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760613/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mysticraftsmp.fun"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760614/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minicraft.world"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760615/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittiesmc.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760617/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittiescraft.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760618/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittyscrafts.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760616/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittenmc.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760619/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittyescraft.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760620/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"playsweetcraft.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760621/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pinkcraftmc.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760622/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9guk.albaniangun.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760823/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760823; rev:1;) alert tcp $HOME_NET any -> [167.172.150.241] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760308/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"currencyflow.usdwane.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760312/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760312; rev:1;) alert tcp $HOME_NET any -> [178.128.174.202] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760310/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"keitarocheats.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760316/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p8qzr.blinderdevour.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760315/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/download"; depth:13; nocase; http.host; content:"103.27.157.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760323/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ewar4pres.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760351/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5j2s.js"; depth:8; nocase; http.host; content:"ewar4pres.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760352/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"ewar4pres.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760355/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o"; depth:2; nocase; http.host; content:"road-to-hell.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760373/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"road-to-hell.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760374/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/follow/index.html"; depth:18; nocase; http.host; content:"cdn3-cloudservices-verify.t3.storage.dev"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760386/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_07; classtype:trojan-activity; sid:91760386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tricitiesbydesign.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760391/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooe.digitalmatters360.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760392/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760392; rev:1;) alert tcp $HOME_NET any -> [192.109.200.147] 6767 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760417/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760417; rev:1;) alert tcp $HOME_NET any -> [161.35.37.48] 9034 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760425/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blood04.dialectblood.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760433/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"43.164.1.146"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760459/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760459; rev:1;) alert tcp $HOME_NET any -> [206.189.72.196] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760495/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"halroda.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760498/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"infhkkh.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760499/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pardpew.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760500/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phyerfs.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760501/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trafsyt.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760502/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worteof.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760503/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760503; rev:1;) alert tcp $HOME_NET any -> [167.172.150.241] 9034 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760530/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sur-vault.reinsurundock.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760539/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760539; rev:1;) alert tcp $HOME_NET any -> [143.110.174.5] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760544/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lvlenergy.pl"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760547/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_07; classtype:trojan-activity; sid:91760547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lynx-new.mightrecoverymarketing.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760560/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_07; classtype:trojan-activity; sid:91760560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lxbrands.se"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760548/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_07; classtype:trojan-activity; sid:91760548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nasot04.nasotoptional.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760576/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ional-sync.nasotoptional.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760577/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lyssatee.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760581/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_07; classtype:trojan-activity; sid:91760581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"morskirai.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760582/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_07; classtype:trojan-activity; sid:91760582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ktmx.albaniangun.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760822/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lumtideen.albaniangun.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760821/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9ecfdotb.horsesence.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760820/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760820; rev:1;) alert tcp $HOME_NET any -> [115.190.223.226] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760819/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760819; rev:1;) alert tcp $HOME_NET any -> [8.131.77.227] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760818/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cloud-ker.horsesence.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760817/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ba7mcgai.horsesence.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760816/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ultra-g3ne.horsesence.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760815/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nd4ih.padohooing.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760814/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"driv3-logic.padohooing.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760813/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"revi-clust.padohooing.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760812/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vect0-signal.padohooing.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760811/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"replay-net.putreplay.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760810/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760810; rev:1;) alert tcp $HOME_NET any -> [198.44.251.110] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760809/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760809; rev:1;) alert tcp $HOME_NET any -> [47.236.232.206] 6003 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760806/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760806; rev:1;) alert tcp $HOME_NET any -> [198.44.251.110] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760807/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760807; rev:1;) alert tcp $HOME_NET any -> [198.44.251.110] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760808/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g70aw0re.bucketeuthan.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760805/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kgcrad14.bucketeuthan.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760804/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"put08.putreplay.in.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760803/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"replay-v1.putreplay.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760802/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"macrobatic.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760801/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"put-play.putreplay.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760800/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mod-logic.automodcompass.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760799/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mabnetsolutions.co.za"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760798/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"auto-v33.automodcompass.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760797/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m3geeks.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760796/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mod-track.automodcompass.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760795/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m3-cleaning.solution25-staging.website"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760794/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"auto-compass.automodcompass.in.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760580/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m2afutbol.es"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760579/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m.sdfauto.ro"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760575/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760575; rev:1;) alert tcp $HOME_NET any -> [54.252.231.195] 10277 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760572/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760572; rev:1;) alert tcp $HOME_NET any -> [54.252.231.195] 427 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760573/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760573; rev:1;) alert tcp $HOME_NET any -> [54.252.231.195] 2077 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760574/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760574; rev:1;) alert tcp $HOME_NET any -> [199.101.111.148] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760570/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760570; rev:1;) alert tcp $HOME_NET any -> [199.101.111.151] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760571/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760571; rev:1;) alert tcp $HOME_NET any -> [45.137.70.27] 6667 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760569/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.antalyarehber.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760568/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manisarehber.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760567/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760567; rev:1;) alert tcp $HOME_NET any -> [209.141.58.129] 8000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760566/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760566; rev:1;) alert tcp $HOME_NET any -> [43.133.214.247] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760565/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760565; rev:1;) alert tcp $HOME_NET any -> [96.44.159.165] 14645 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760564/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760564; rev:1;) alert tcp $HOME_NET any -> [42.193.131.125] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760563/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ional-hub.nasotoptional.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760562/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nasot-opt.nasotoptional.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760561/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lent-net.chopexcellent.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760559/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chop-v81.chopexcellent.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760558/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"luxtravel.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760557/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lent-unit.chopexcellent.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760556/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"luxhouse.net.vn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760555/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chop-excel.chopexcellent.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760554/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"luxobense.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760553/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgdv1fdeqgbtbtrbh3-35046.portmap.host"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760552/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"josh.it.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760551/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dance-v9.dancingvcr.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760550/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vcr-logic.dancingvcr.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760549/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lxbrands.se"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760546/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"move-node.dancingvcr.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760545/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dance-vcr.dancingvcr.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760543/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lvlenergy.pl"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760542/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sur-sync.reinsurundock.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760541/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rein-v44.reinsurundock.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760540/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rein-dock.reinsurundock.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760538/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cism-flow.draniercism.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760537/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dran02.draniercism.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760535/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lupkow.pl"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760534/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cism-base.draniercism.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760533/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dran-optic.draniercism.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760532/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"petun-data.albanianpetun.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760531/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alba-v77.albanianpetun.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760529/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"petun-sys.albanianpetun.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760528/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alba-route.albanianpetun.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760526/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pres-gate.horspresence.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760525/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hors05.horspresence.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760524/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pres-mode.horspresence.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760523/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hors-link.horspresence.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760522/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760522; rev:1;) alert tcp $HOME_NET any -> [16.28.95.123] 503 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760521/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760521; rev:1;) alert tcp $HOME_NET any -> [199.101.111.131] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760520/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760520; rev:1;) alert tcp $HOME_NET any -> [18.230.151.170] 5671 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760519/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760519; rev:1;) alert tcp $HOME_NET any -> [18.230.151.170] 1521 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760518/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760518; rev:1;) alert tcp $HOME_NET any -> [20.94.46.10] 8088 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760517/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760517; rev:1;) alert tcp $HOME_NET any -> [146.190.17.255] 4321 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760516/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760516; rev:1;) alert tcp $HOME_NET any -> [46.8.68.4] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760515/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760515; rev:1;) alert tcp $HOME_NET any -> [76.13.106.90] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760514/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760514; rev:1;) alert tcp $HOME_NET any -> [128.90.103.232] 9999 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760513/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760513; rev:1;) alert tcp $HOME_NET any -> [94.26.106.216] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760512/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760512; rev:1;) alert tcp $HOME_NET any -> [130.12.180.36] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760511/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760511; rev:1;) alert tcp $HOME_NET any -> [172.111.150.42] 5900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760510/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760510; rev:1;) alert tcp $HOME_NET any -> [3.12.57.9] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760509/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760509; rev:1;) alert tcp $HOME_NET any -> [103.44.88.4] 18731 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760508/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760508; rev:1;) alert tcp $HOME_NET any -> [45.136.15.176] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760507/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760507; rev:1;) alert tcp $HOME_NET any -> [39.96.181.14] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760506/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_07; classtype:trojan-activity; sid:91760506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"woo-sync.gadowooing.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760505/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gadow-v12.gadowooing.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760504/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"woo-point.gadowooing.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760497/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gado-trace.gadowooing.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760496/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lucunha.lbatho.com.br"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760494/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sanct-net.sanctunputer.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760493/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"put03.sanctunputer.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760492/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760492; rev:1;) alert tcp $HOME_NET any -> [118.25.10.65] 65011 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760491/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sanct-v1.sanctunputer.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760490/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laohen29.myvnc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760489/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xrootx.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760488/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.habladourf.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760487/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.borneorhinoalliance.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760483/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.cakhiaax.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760484/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.borneorhinoalliance.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760485/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.cakhiaax.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760486/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.cakhiaax.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760474/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.borneorhinoalliance.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760475/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.cakhiaax.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760476/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.borneorhinoalliance.org"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760477/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.cakhiaax.cc"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760478/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.borneorhinoalliance.org"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760479/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.cakhiaax.cc"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760480/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.borneorhinoalliance.org"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760481/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.cakhiaax.cc"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760482/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.borneorhinoalliance.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760469/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.cakhiaax.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760470/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.borneorhinoalliance.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760471/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.cakhiaax.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760472/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.borneorhinoalliance.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760473/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760473; rev:1;) alert tcp $HOME_NET any -> [192.163.168.59] 447 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760468/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"put-vault.sanctunputer.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760467/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"test-sync.intesttop.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760466/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"top06.intesttop.in.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760465/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"intest-v9.intesttop.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760464/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"test-top.intesttop.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760463/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"repr-net.representtank.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760462/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tank05.representtank.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760461/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"repr-v8.representtank.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760460/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tank-gate.representtank.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760458/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rich-flow.minenrichment.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760457/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760457; rev:1;) alert tcp $HOME_NET any -> [212.28.188.80] 9090 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760456/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mine08.minenrichment.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760455/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rich-v7.minenrichment.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760454/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mine-base.minenrichment.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760453/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"double-sync.austrodouble.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760452/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760452; rev:1;) alert tcp $HOME_NET any -> [18.199.67.179] 250 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760451/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760451; rev:1;) alert tcp $HOME_NET any -> [45.194.92.55] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760450/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760450; rev:1;) alert tcp $HOME_NET any -> [129.213.102.144] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760449/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760449; rev:1;) alert tcp $HOME_NET any -> [5.178.96.123] 4432 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760448/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.uqr4lo1t.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760446/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760446; rev:1;) alert tcp $HOME_NET any -> [200.90.79.152] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760447/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.vqpnhn8j.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760445/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760445; rev:1;) alert tcp $HOME_NET any -> [45.83.31.239] 1000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760444/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760444; rev:1;) alert tcp $HOME_NET any -> [103.82.24.104] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760443/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760443; rev:1;) alert tcp $HOME_NET any -> [101.126.137.83] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760442/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760442; rev:1;) alert tcp $HOME_NET any -> [115.190.223.226] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760441/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760441; rev:1;) alert tcp $HOME_NET any -> [8.138.103.251] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760440/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760440; rev:1;) alert tcp $HOME_NET any -> [23.226.56.221] 18731 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760439/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"austro02.austrodouble.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760438/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"double-v6.austrodouble.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760437/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760437; rev:1;) alert tcp $HOME_NET any -> [108.187.40.191] 447 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760436/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"austro-hub.austrodouble.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760435/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dia-net.dialectblood.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760434/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760434; rev:1;) alert tcp $HOME_NET any -> [146.70.51.74] 3669 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760432/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dia-v5.dialectblood.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760431/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blood-unit.dialectblood.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760430/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mx7society.com.br"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760429/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moro-sync.moroshkasvet.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760428/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pidoras6742-56928.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760427/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aviammo.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760426/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"svet09.moroshkasvet.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760424/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"muvisaskillgen.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760422/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moro-v4.moroshkasvet.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760421/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"svet-core.moroshkasvet.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760420/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"woman-flow.youngwoman.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760419/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"young01.youngwoman.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760418/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"woman-v3.youngwoman.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760416/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760416; rev:1;) alert tcp $HOME_NET any -> [103.215.77.16] 4499 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760415/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760415; rev:1;) alert tcp $HOME_NET any -> [137.220.154.94] 54411 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760414/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760414; rev:1;) alert tcp $HOME_NET any -> [94.156.102.255] 2077 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760412/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"basic-incoming.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760413/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/:4782"; depth:6; nocase; http.host; content:"www.73bet.app"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760411/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/:8848"; depth:6; nocase; http.host; content:"www.73bet.app"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760409/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/:443"; depth:5; nocase; http.host; content:"www.73bet.app"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760410/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/:7707"; depth:6; nocase; http.host; content:"www.73bet.app"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760406/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/:8808"; depth:6; nocase; http.host; content:"www.73bet.app"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760407/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/:8888"; depth:6; nocase; http.host; content:"www.73bet.app"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760408/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"drplus.in.net"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1760404/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/:6606"; depth:6; nocase; http.host; content:"www.73bet.app"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760405/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"drplus.in.net"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1760403/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"drplus.in.net"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1760402/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"drplus.in.net"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1760400/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"drplus.in.net"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1760401/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drplus.in.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760399/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760399; rev:1;) alert tcp $HOME_NET any -> [45.94.31.215] 4949 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760397/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup5555.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760398/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arklen-64027.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760396/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jaheya5849-64670.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760395/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mrem.workinnet.com.br"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760394/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"musique.gaboivin.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760393/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adapters-invitations-seating-sims.trycloudflare.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760384/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"floppy-excited-advertisers-hosted.trycloudflare.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760385/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"download.businessventure.cv"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760381/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"download.vercel.qpon"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760382/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"download.skibidibopbop.lol"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760383/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760383; rev:1;) alert tcp $HOME_NET any -> [156.229.162.227] 80 (msg:"ThreatFox XMRIG botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760376/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760376; rev:1;) alert tcp $HOME_NET any -> [107.172.13.174] 80 (msg:"ThreatFox XMRIG botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760377/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760377; rev:1;) alert tcp $HOME_NET any -> [217.60.7.193] 80 (msg:"ThreatFox XMRIG botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760378/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760378; rev:1;) alert tcp $HOME_NET any -> [45.133.74.243] 80 (msg:"ThreatFox XMRIG botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760379/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760379; rev:1;) alert tcp $HOME_NET any -> [91.200.100.7] 80 (msg:"ThreatFox XMRIG botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760380/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"munirhassan.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760375/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760375; rev:1;) alert tcp $HOME_NET any -> [35.152.68.228] 6697 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760371/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760371; rev:1;) alert tcp $HOME_NET any -> [43.208.5.244] 1311 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760372/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760372; rev:1;) alert tcp $HOME_NET any -> [13.201.35.47] 22922 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760370/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760370; rev:1;) alert tcp $HOME_NET any -> [13.201.35.47] 21722 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760368/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760368; rev:1;) alert tcp $HOME_NET any -> [13.201.35.47] 22322 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760369/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760369; rev:1;) alert tcp $HOME_NET any -> [196.75.0.61] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760367/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760367; rev:1;) alert tcp $HOME_NET any -> [45.90.98.63] 1337 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760366/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760366; rev:1;) alert tcp $HOME_NET any -> [102.98.197.191] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760365/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760365; rev:1;) alert tcp $HOME_NET any -> [190.255.93.218] 8540 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760364/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760364; rev:1;) alert tcp $HOME_NET any -> [136.244.82.119] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760363/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760363; rev:1;) alert tcp $HOME_NET any -> [150.241.73.11] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760362/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mundopetaraucaria.com.br"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760361/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760361; rev:1;) alert tcp $HOME_NET any -> [62.102.148.162] 3066 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760360/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/vendor/bootstrap/dist-bundle-2.1.4.min.js"; depth:49; nocase; http.host; content:"192.168.71.252"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760359/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mundoluz.prestacel.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760358/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760358; rev:1;) alert tcp $HOME_NET any -> [107.172.13.251] 2888 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760357/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"multipinturasguanipa.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760356/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"givemebestblessfromtheangelforcashouttog.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760354/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"young-site.youngwoman.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760353/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pigeon-net.pigeonbreed.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760350/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"breed07.pigeonbreed.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760349/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fsocietyserver-63331.portmap.host"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760348/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fusldhtp5.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760347/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abujafirms-36349.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760346/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dkcraneservices.in.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760345/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760345; rev:1;) alert tcp $HOME_NET any -> [158.94.211.251] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760344/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dolarciao.it.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760343/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ike.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760340/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rqtuxh.sa.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760341/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ufb.uk.comufb.uk.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760342/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ok8386.cheap"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760336/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c168.casino"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760337/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c168.fund"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760338/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fly88.limited"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760339/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ok8386.casino"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760335/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pigeon-v2.pigeonbreed.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760334/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bird-farm.pigeonbreed.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760333/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sync-base.comenskeptic.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760332/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"com03.comenskeptic.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760331/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"skept-v1.comenskeptic.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760330/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"loja.controlink.pt"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760329/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"com-node.comenskeptic.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760328/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fieldman-toolnode.fieldmanfix.in.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760327/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qi1.xin"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760326/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vrf.myserver.com.bd"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760324/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vrf.digitalmatters360.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760325/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ruralcraft.fieldmanfix.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760322/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vrf.myserver.com.bd"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760320/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vrf.digitalmatters360.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760321/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y6mrx.fieldmanfix.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760319/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blind-devgrid.blinderdevour.in.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760318/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"darkconsume.blinderdevour.in.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760317/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760317; rev:1;) alert tcp $HOME_NET any -> [5.128.28.134] 29932 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760314/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"usd-waneframe.usdwane.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760313/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k3wqt.usdwane.in.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760311/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"even-sponsorlink.evenssponsor.in.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760309/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brandbridge.evenssponsor.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760307/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z7rvk.evenssponsor.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760306/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dropout-switchgate.dropout.in.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760305/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s2kpplbt.awakepathog.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760304/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sqddakti.awakepathog.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760303/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"exitroute.dropout.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760302/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fartnaga123-37438.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760301/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m2q9x.dropout.in.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760300/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760300; rev:1;) alert tcp $HOME_NET any -> [18.201.62.1] 81 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760299/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760299; rev:1;) alert tcp $HOME_NET any -> [168.245.203.232] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760298/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760298; rev:1;) alert tcp $HOME_NET any -> [116.102.239.155] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760297/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760297; rev:1;) alert tcp $HOME_NET any -> [31.57.216.126] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760296/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760296; rev:1;) alert tcp $HOME_NET any -> [157.245.218.126] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760295/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760295; rev:1;) alert tcp $HOME_NET any -> [172.111.232.235] 8201 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760294/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760294; rev:1;) alert tcp $HOME_NET any -> [104.250.169.106] 3011 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760293/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shadowlogikov-33583.portmap.host"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760292/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fsocietyserver-38405.portmap.host"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760291/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"piit-tabvector.piittablet.in.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760290/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"msipep.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760289/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dataplate.piittablet.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760288/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t5zw3.piittablet.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760287/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rantier-loopnode.rantiercling.in.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760286/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"msi.tiendajae.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760285/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760285; rev:1;) alert tcp $HOME_NET any -> [65.21.104.235] 48261 (msg:"ThreatFox SmokeLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760284/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"circleforge.rantiercling.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760283/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r8kqm.rantiercling.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760282/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ochech-lockframe.ochechstop.in.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760281/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"haltpoint.ochechstop.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760280/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x4qzt.ochechstop.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760279/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hyblazemc.myddns.me"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760278/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760278; rev:1;) alert tcp $HOME_NET any -> [209.25.141.23] 1094 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760277/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760277; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 5520 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760276/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doghan-52372.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760275/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760275; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 52372 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760274/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"proof-anchorgrid.proofsurvivor.in.net"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760273/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flivication-officefax.myhome-server.de"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760272/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.motchillio.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760271/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cryptx.root64.de"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760270/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mrwebconsultant.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760268/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lifeline.proofsurvivor.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760267/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v9k2p.proofsurvivor.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760266/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"addict-veilcore.addictfear.in.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760265/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shadowpulse.addictfear.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760264/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7mxr.addictfear.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760263/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kvid5obz.awakepathog.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760262/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gq6gzvw6.awakepathog.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760261/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"amp-winvector.amperewin.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760260/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"currentflow.amperewin.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760259/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mreza.izkruga.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760258/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y7qz2.amperewin.in.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760257/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mrbuho.mx"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760256/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"scene4-render.fourscene.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760255/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"visualstage.fourscene.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760254/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bapesta.akjqdf.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760253/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760253; rev:1;) alert tcp $HOME_NET any -> [198.46.173.20] 4333 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760252/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q8rvk.fourscene.in.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760251/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760251; rev:1;) alert tcp $HOME_NET any -> [178.128.174.202] 9034 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760064/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"go88x.pro"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760081/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"go88trangchu.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760082/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bestbettersolutions.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760212/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"clearstats.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760220/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"n0sasahqstdjb67a.frostapi.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760235/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"datadrive.corvetfordata.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760238/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760238; rev:1;) alert tcp $HOME_NET any -> [206.189.72.192] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760241/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"alpha.erbildecoor.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760244/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_06; classtype:trojan-activity; sid:91760244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lsvvpb8t.drinktide.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760250/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d2t7xj4f.drinktide.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760249/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"denny-holdgrid.dennyportfol.in.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760248/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"assetfolio.dennyportfol.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760247/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760247; rev:1;) alert tcp $HOME_NET any -> [185.242.3.55] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760246/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w3x9m.dennyportfol.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760245/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mpcpolyplast.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760243/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760243; rev:1;) alert tcp $HOME_NET any -> [156.254.21.227] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760242/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"movitelf.es"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760240/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"corvetx-stream.corvetfordata.in.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760239/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z5qtr.corvetfordata.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760237/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760237; rev:1;) alert tcp $HOME_NET any -> [45.137.23.60] 1529 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760236/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"movietripshow.de"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760234/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"anny-devframe.annyprogramm.in.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760233/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"molip.sk"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760232/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"codesprint.annyprogramm.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760231/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ygzulpfl.floatmurta.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760230/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h5gxu4pp.floatmurta.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760229/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v8kq3.annyprogramm.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760228/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"microb1o-lattice.sdflkmicrobiol.in.net"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760227/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cellculture.sdflkmicrobiol.in.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760226/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n4qx7.sdflkmicrobiol.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760225/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"birdfract-sky.breaknbird.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760224/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wingflight.breaknbird.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760223/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t6pzr.breaknbird.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760222/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"constell-1node.constellupd.in.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760221/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760221; rev:1;) alert tcp $HOME_NET any -> [45.77.34.87] 443 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760219/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760219; rev:1;) alert tcp $HOME_NET any -> [31.57.216.126] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760218/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760218; rev:1;) alert tcp $HOME_NET any -> [18.180.215.33] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760217/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760217; rev:1;) alert tcp $HOME_NET any -> [51.222.87.16] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760216/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760216; rev:1;) alert tcp $HOME_NET any -> [23.226.48.204] 10052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760215/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760215; rev:1;) alert tcp $HOME_NET any -> [14.103.150.186] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760214/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"starvector.constellupd.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760213/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q9wm4.constellupd.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760211/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760211; rev:1;) alert tcp $HOME_NET any -> [65.21.225.207] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760206/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760206; rev:1;) alert tcp $HOME_NET any -> [74.0.32.64] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760207/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760207; rev:1;) alert tcp $HOME_NET any -> [74.0.42.204] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760208/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760208; rev:1;) alert tcp $HOME_NET any -> [74.0.48.37] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760209/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760209; rev:1;) alert tcp $HOME_NET any -> [89.167.108.129] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760210/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nap.myserver.com.bd"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760204/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nap.digitalmatters360.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760205/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"89.167.108.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760203/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nap.myserver.com.bd"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760197/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nap.digitalmatters360.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760198/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.21.225.207"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760199/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.64"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760200/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.42.204"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760201/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.48.37"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760202/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coachburn-edge.coachcoal.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760196/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760196; rev:1;) alert tcp $HOME_NET any -> [213.142.148.166] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760091/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"teamforge.coachcoal.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760083/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760083; rev:1;) alert tcp $HOME_NET any -> [45.55.77.196] 12345 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759327/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759327; rev:1;) alert tcp $HOME_NET any -> [161.35.171.177] 34567 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759344/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759344; rev:1;) alert tcp $HOME_NET any -> [165.227.66.229] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759345/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759345; rev:1;) alert tcp $HOME_NET any -> [143.110.174.5] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759346/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759346; rev:1;) alert tcp $HOME_NET any -> [178.128.174.202] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759347/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759347; rev:1;) alert tcp $HOME_NET any -> [167.172.150.241] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759348/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759348; rev:1;) alert tcp $HOME_NET any -> [206.189.72.192] 34567 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759349/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759349; rev:1;) alert tcp $HOME_NET any -> [206.189.72.196] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759352/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759352; rev:1;) alert tcp $HOME_NET any -> [165.227.66.229] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759353/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759353; rev:1;) alert tcp $HOME_NET any -> [159.65.56.1] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759354/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759354; rev:1;) alert tcp $HOME_NET any -> [159.65.72.184] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759355/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759355; rev:1;) alert tcp $HOME_NET any -> [46.101.94.33] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759372/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759372; rev:1;) alert tcp $HOME_NET any -> [159.65.56.1] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759374/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759374; rev:1;) alert tcp $HOME_NET any -> [165.227.66.229] 9034 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759375/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759375; rev:1;) alert tcp $HOME_NET any -> [159.65.72.184] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759377/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759377; rev:1;) alert tcp $HOME_NET any -> [161.35.37.48] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759379/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759379; rev:1;) alert tcp $HOME_NET any -> [206.189.72.192] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760009/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760009; rev:1;) alert tcp $HOME_NET any -> [161.35.37.48] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760016/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.html"; depth:11; nocase; http.host; content:"cdn-verify-cloudflareservices1.t3.storage.dev"; depth:45; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760055/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_06; classtype:trojan-activity; sid:91760055; rev:1;) alert tcp $HOME_NET any -> [176.65.139.42] 1999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759370/; target:src_ip; metadata: confidence_level 80, first_seen 2026_03_06; classtype:trojan-activity; sid:91759370; rev:1;) alert tcp $HOME_NET any -> [176.65.139.42] 1914 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759371/; target:src_ip; metadata: confidence_level 80, first_seen 2026_03_06; classtype:trojan-activity; sid:91759371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5a7h.js"; depth:8; nocase; http.host; content:"oriana84.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1759283/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oriana84.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759284/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"oriana84.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1759285/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o"; depth:2; nocase; http.host; content:"heavens-gate.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1759286/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"heavens-gate.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759287/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cryp-sync.cryptonest.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759282/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759282; rev:1;) alert tcp $HOME_NET any -> [137.184.111.42] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759271/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flow-core.fluxbridge.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759256/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759256; rev:1;) alert tcp $HOME_NET any -> [188.166.113.249] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759238/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gerony.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759233/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reset/private-compiler.js"; depth:26; nocase; http.host; content:"gerony.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1759234/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reset/tenant-pipeline.php"; depth:26; nocase; http.host; content:"gerony.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1759232/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server"; depth:7; nocase; http.host; content:"amfredio.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1759230/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759230; rev:1;) alert tcp $HOME_NET any -> [138.197.125.215] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759229/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kero01.avonkerosene.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759228/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"amfredio.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759227/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/success"; depth:8; nocase; http.host; content:"amfredio.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1759226/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reset/private-compiler.js"; depth:26; nocase; http.host; content:"trofedi.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1759225/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reset/tenant-pipeline.php"; depth:26; nocase; http.host; content:"trofedi.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1759224/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"trofedi.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759223/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reset/admin-hook.js"; depth:20; nocase; http.host; content:"trofedi.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1759222/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759222; rev:1;) alert tcp $HOME_NET any -> [198.211.115.123] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759221/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"avon-v9.avonkerosene.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759192/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kz7v2.coachcoal.in.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760063/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoom/windows/invite.php"; depth:24; nocase; http.host; content:"zoommeetingapplicant.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760059/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/id/windows/invite.php"; depth:22; nocase; http.host; content:"us69webacc.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760060/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ejoinzoom.us/windows/invite.php"; depth:32; nocase; http.host; content:"joinmeetinginvite.im"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760061/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windows/invite.php"; depth:19; nocase; http.host; content:"zoommeetingsapplicantinvite.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760062/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760062; rev:1;) alert tcp $HOME_NET any -> [212.11.64.215] 4400 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760056/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rajkumarred.ddnsgeek.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760057/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rajkumarred.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760058/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"au88.br.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760051/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"au88a.cn.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760052/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"au88green.us.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760053/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wwi.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760054/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"travel-korean.in.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760050/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"abcgrid-0form.abcdesign.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760049/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"win-sys-health.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760047/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"artworkinc.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760048/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760048; rev:1;) alert tcp $HOME_NET any -> [45.143.167.33] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760046/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"maherooff12.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760045/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server4.sofolisk.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760034/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server5.fulusus.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760035/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server5.sofolisk.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760036/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server6.fulusus.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760037/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server6.sofolisk.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760038/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server7.fulusus.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760039/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server7.sofolisk.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760040/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server8.fulusus.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760041/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server8.sofolisk.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760042/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server9.fulusus.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760043/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server9.sofolisk.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760044/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"fulusus.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760024/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server1.fulusus.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760025/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server1.sofolisk.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760026/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server10.fulusus.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760027/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server10.sofolisk.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760028/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server2.fulusus.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760029/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server2.sofolisk.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760030/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server3.fulusus.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760031/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server3.sofolisk.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760032/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"server4.fulusus.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760033/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/install-failure"; depth:20; nocase; http.host; content:"fulusus.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760022/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"sofolisk.com"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1760023/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pixelcraft.abcdesign.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760021/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"marketplace.br.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760019/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vuabets88.co"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760020/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/five/five/pvqdq929bsx_a_d_m1n_a.php"; depth:45; nocase; http.host; content:"electrico.co.zw"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760018/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mcypresss.asia"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1760017/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_06; classtype:trojan-activity; sid:91760017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rx8qk.abcdesign.in.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760015/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760015; rev:1;) alert tcp $HOME_NET any -> [206.238.180.21] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760014/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760014; rev:1;) alert tcp $HOME_NET any -> [43.98.246.18] 3333 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1760013/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stre06.aquastream.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760012/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"194.195.209.91"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1760011/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x98wr-43312.portmap.host"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760010/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f7ozu1t9.flogginquisit.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760008/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k2rprgmy.flogginquisit.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760007/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91760007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pauktriixu.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759996/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"peculaters.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759997/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tracktimespa.nl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759998/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"teuffered.club"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759999/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"communistric.live"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760000/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"oldestricks.us"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760001/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"unaffects.de.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760002/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"illegate.wiki"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760003/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sectifiers.gb.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760004/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"obeliscobrindes.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760005/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"imporation.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1760006/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91760006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sub.cobarteres.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759967/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"accounteering.com.se"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759968/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"authorians.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759969/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aceh4dstand.kazmielecom.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759970/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lscomic.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759971/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"comparisting.us"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759972/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"micecable.de"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759973/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"independoza.news"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759974/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"proximatical.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759975/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sub.cyberchael.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759976/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"capturessing.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759977/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quantumflickhub.uk"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759978/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"win772.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759979/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"paperwriting-service.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759980/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"histofort.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759981/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lessenges.bid"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759982/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"greaterializing.us"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759983/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"terminal4dstar.amigdalomoraitis.gr"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759984/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zenfusionnowx.uk"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759985/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"seapons.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759986/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"magleekbotais.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759987/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"excellence.palachiangle.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759988/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mysticfusionnow.nl"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759989/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vibezenithx.uk"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759990/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"glimmerforge.uk.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759991/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"centioch.us"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759992/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"contacticaller.com.se"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759993/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"security-images.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759994/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"goalternal.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759995/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dispossessive.bid"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759938/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alvdalensforetagsmassa.se"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759939/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"amazon-row.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759940/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"newzfresh.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759941/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vaattlacteng.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759942/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"procely.gr.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759943/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cominally.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759944/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"covertiny.uk"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759945/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pureglownow.de"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759946/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"subduedpush.uk.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759947/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"historative.co.in"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759948/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"solarlynxx.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759949/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mysticfusionx.ch"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759950/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"flashzenithx.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759951/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail6.brabluthe.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759952/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sparently.stream"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759953/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cobarteres.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759954/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kerchase.com.se"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759955/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"turboechonow.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759956/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"borrock.co"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759957/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"consultoria01a.sairavoabemalto.cfd"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759958/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"folloquially.us"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759959/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"circulosive.org.uk"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759960/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sidgwart.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759961/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"outsidences.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759962/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"billinessmer.co.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759963/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cpanel.alvdalensforetagsmassa.se"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759964/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jcpcom.vip-cheats.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759965/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"surgecraft.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759966/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"richigantial.cfd"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759908/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"36b5759.hirthe.deternating.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759909/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"folkcatart.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759910/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cck-opal-cosmetics.sa.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759911/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"espied.diversist.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759912/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"638760838653830192.paris-lmnnew-aaa.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759913/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lunadrift.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759914/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"networkshirles.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759915/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"democracialism.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759916/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bbs.diversist.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759917/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"imd02.diversist.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759918/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"solarwavex.nl"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759919/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"refusaling.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759920/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kjobedfkog.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759921/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"turboblazenowx.me"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759922/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"plainstandard.love"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759923/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"econcreato.pro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759924/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"imporategory.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759925/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"billagellion.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759926/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"terminal4dgacor.saarthitrust.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759927/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"turboblazenow.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759928/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stoichigan.nl"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759929/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"crometimes.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759930/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"visit.newsbelarus.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759931/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zenvibenowx.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759932/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"johanniba.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759933/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mysticblazenowx.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759934/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"acceptionics.stream"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759935/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"essaugavada.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759936/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"websupport.com.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759937/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"urbanpulsex.me"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759878/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hermenish.com.co"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759879/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"neopological.pw"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759880/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zenstreamnow.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759881/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wolketinued.com.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759882/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"otherench.news"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759883/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"5c10365e5d.hirthe.deternating.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759884/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"contactivities.com.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759885/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"perposed.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759886/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"caroliness.ch"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759887/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"decliniwerks.dev"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759888/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"decreteur.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759889/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"commoditeral.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759890/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ilottered.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759891/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"c.arkadia12.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759892/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"extrustrative.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759893/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lentars.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759894/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"easuldron.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759895/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"contracterium.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759896/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chniticarovies.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759897/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"howevertension.nl"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759898/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"compireach.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759899/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vladiyatt.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759900/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"compreheart.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759901/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pureglowx.dev"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759902/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stellarzenx.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759903/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"5c103b5e5d.hirthe.deternating.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759904/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ddfsfsdf.bavarsi.com.de"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759905/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"flouristic.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759906/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mclaughlin.hypernovastrata.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759907/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"reforestoryv.com.se"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759848/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"revueandnews.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759849/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quantumminglex.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759850/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zenwavex.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759851/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gangaikov.gr.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759852/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"turner.confederably.de"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759853/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gibson.iwerkshi.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759854/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"purenexusnow.de"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759855/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mannelson.us.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759856/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"poverting.pro"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759857/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zenminglenowx.ch"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759858/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"turboglownow.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759859/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quantumzenith.me"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759860/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"limitational.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759861/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"boldfusionnow.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759862/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zenithdrift.ch"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759863/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"containoa.com.se"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759864/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"truepulsenow.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759865/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"likelyn.bid"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759866/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trueglownowx.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759867/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nonstoplong-term.me"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759868/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vibeloom.dev"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759869/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"collingular.com.se"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759870/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"starpulsecore.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759871/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"containstrast.nl"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759872/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"flashminglenowx.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759873/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"governovelisk.us"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759874/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"warshere.gb.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759875/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mechangels.jp.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759876/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"elimitressbow.com.se"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759877/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cihxmeazaj.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759818/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sfimosrgch.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759819/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pblyltthfe.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759820/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kftwmhigho.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759821/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"imfsoyhdsz.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759822/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fgiizmzm6.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759823/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"voiceunbecoming.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759824/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vluhsxhtjc.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759825/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"separticle.cloud"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759826/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"passault.support"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759827/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jizoiqgwkj.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759828/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ysnathnhxh.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759829/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lxuimwtmbh.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759830/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mrt1122.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759831/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vwestqocet.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759832/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"phudrmagsy.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759833/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"decembers.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759834/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mo5hvp.dyiw7.boatersbowness.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759835/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"guitrar.drumbalsruffows.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759836/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"turbopulsex.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759837/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wonderpulse.de"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759838/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vmi2571064.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759839/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nordinatently.com.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759840/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"at-assurances.be"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759841/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"goldgrabberhighbankers.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759842/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"controllege.gold"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759843/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"unreleasted.us"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759844/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ziphelpless.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759845/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kuhic.nutriwellcoaching.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759846/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webcerthost.digital"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759847/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"turbofusionnowx.uk"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759798/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"atmosphored.de"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759799/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"collectroduce.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759800/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"essentends.org.uk"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759801/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"urbanstreamnow.me"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759802/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tunationina.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759803/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thentions.eu.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759804/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"symmetreas.media"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759805/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"spectivized.org.uk"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759806/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"payment.spfwebgov.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759807/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tarbuthnonymous.org.uk"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759808/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"arbizosacches.bid"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759809/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mattuce.org.uk"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759810/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"urbanvibex.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759811/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"supportantiqui.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759812/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qlhatbmjgx.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759813/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lcqulvnudu.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759814/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rsnycdwm.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759815/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sarkovic.co"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759816/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"moshup.dyiw7.boatersbowness.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759817/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"businging.support"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759779/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stellarechonow.nl"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759780/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"urbanglowx.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759781/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pureechonowx.nl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759782/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mysticstreamnowx.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759783/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nassified.eu.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759784/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quantummingle.uk"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759785/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"flashvibenowhub.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759786/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eclinately.com.co"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759787/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"swiftechohub.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759788/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"urbanzenx.nl"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759789/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"turbostream.dev"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759790/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quantumvibex.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759791/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pyramidshipment.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759792/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"animitical.us"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759793/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nimizing.de"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759794/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"moraining.support"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759795/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"scorintern.jp.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759796/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yieldestroke.eu.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759797/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dreamblazex.nl"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759750/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hypercore.uk"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759751/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"purevibenow.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759752/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"notective.com.de"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759753/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"debritary.me.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759754/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"crystalpulsevibe.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759755/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"comediasport.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759756/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"allowheatres.bid"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759757/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"againsteam.com.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759758/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"condor2835.startdedicated.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759759/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"authorsenic.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759760/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"responsonic.me"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759761/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"3gpjizz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759762/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"governorshrug.de"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759763/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"purepulsenow.me"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759764/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dreamblazenowx.nl"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759765/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"purepulsenowx.nl"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759766/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zenblazenow.nl"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759767/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rapidvibenow.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759768/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chillzing.uk"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759769/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"boldglidex.de"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759770/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ppldn.purporate.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759771/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"edistantive.live"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759772/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"arrondi.monticle-facture.zayat.ineffections.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759773/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vibefusionx.uk"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759774/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zenstrivenow.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759775/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ulricheld.media"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759776/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quantumglowx.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759777/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rapidzenith.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759778/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"allisoned.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759719/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"changham.me"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759720/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lushtidex.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759721/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aaronchodka.support"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759722/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"boldmingle.de"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759723/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"centratisfact.nl"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759724/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zenfusionhub.me"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759725/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"squariate.gr.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759726/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zentidenowx.me"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759727/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fluidshine.nl"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759728/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"potaming.eu.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759729/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"urbanquakenow.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759730/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"glowrevolt.de"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759731/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cambojas.com.co"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759732/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"manhattempted.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759733/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sucanday.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759734/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eachief.jp.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759735/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aggressity.gb.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759736/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lushfusion.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759737/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rapidglownow.nl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759738/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mysticvibeco.ch"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759739/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"epiczenithx.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759740/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pulseloom.de"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759741/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"federican.org.uk"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759742/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quantumhaven.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759743/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"electricnest.de"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759744/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stellarflickx.nl"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759745/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aleclewlast.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759746/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"currectly.bid"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759747/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"flashpulsenow.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759748/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eithelief.me.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759749/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"correspecified.nl"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759690/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"braveverve.de"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759691/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"purenestx.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759692/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"createrize.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759693/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quantumblazex.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759694/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"consumpting.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759695/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quantumblazenowx.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759696/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"postponently.org.uk"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759697/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trueglowx.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759698/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"data.distributionrot.gr.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759699/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kilometerming.gb.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759700/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quantumechox.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759701/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"denometricit.com.de"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759702/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mccroneously.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759703/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wildpulsenow.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759704/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"turbostreamnowx.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759705/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"boldtide.nl"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759706/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"purringfence.de"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759707/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"consibilitical.com.se"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759708/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rapidglownowx.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759709/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"urbanechox.de"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759710/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fllko.xwinistered.uk.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759711/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"electricstrive.nl"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759712/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"downturies.support"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759713/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rapetus.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759714/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"modificial.support"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759715/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"unsuccessor.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759716/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"boldvibex.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759717/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bisogynists.media"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759718/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"upton.dennesbury.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759661/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"physiquests.org.uk"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759662/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"frequivaldic.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759663/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"playstoreapp.co"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759664/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"charanciscolone.stream"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759665/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wirelation.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759666/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mrarsh.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759667/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dylandmarkets.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759668/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"faminary.me.uk"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759669/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"supportablish.com.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759670/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"exportantic.media"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759671/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"contactus.com.de"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759672/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"postallegan.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759673/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pampaign.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759674/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"contactus.me"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759675/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"controllidea.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759676/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"amerized.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759677/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"debusscar.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759678/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"greatongate.com.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759679/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.45-137-20-96.cprapid.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759680/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"squartefano.ch"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759681/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"backgroup.uk"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759682/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pachit.7tcsc.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759683/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mjsshootingsupplies.com.au"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759684/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"germansion.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759685/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eltmengotia.us"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759686/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rapidstreamnowx.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759687/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fusionstrive.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759688/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"massassical.com.co"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759689/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"evoltages.co.in"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759632/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"castructed.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759633/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alive.provichy.directory"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759634/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"condor2826.startdedicated.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759635/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tsfepztnzl.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759636/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zhxiynroje.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759637/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"venhtmpgak.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759638/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"snkdmlqsoy.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759639/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"czde.seconduce.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759640/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cemeterms.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759641/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aparse.us"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759642/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"veterned.de"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759643/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"haterms.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759644/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"evoltairca.pro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759645/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"precalled.gr.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759646/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blomsterpigerne.dk"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759647/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"billiaments.us.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759648/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"petervig.dk"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759649/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"flipmarts.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759650/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wadsholt.dk"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759651/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"btrcv.pkcrmeruj.kugbygok.store.ass0091.congregority.com"; depth:55; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759652/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"paintact.org.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759653/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stellarlynx.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759654/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dixomwyudd.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759655/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"transcombina.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759656/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"marcotting.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759657/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"youness1.haji80.pserver.space"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759658/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mcdermott.ichernhang.info"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759659/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dennesbury.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759660/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"relevensively.de"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759605/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"capitalinguage.us"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759606/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"info.seconduce.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759607/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"numericalled.bid"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759608/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"falcoung.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759609/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aressimbee.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759610/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"inclusional.co.in"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759611/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"automaticalled.uk.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759612/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fouristinent.org.uk"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759613/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qqhjgygtwc.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759614/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"francerto.de.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759615/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smtpdelivery.brasiltecnoeletronicos.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759616/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"glicte.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759617/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"forremed.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759618/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"inhabitan.us"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759619/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"accenturied.us"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759620/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"disonall.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759621/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sellowed.stream"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759622/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"condor2848.startdedicated.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759623/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alonesses.de"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759624/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shaanxiety.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759625/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"insidespiter.org.uk"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759626/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"digestern.uk"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759627/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"corganish.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759628/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"becausinese.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759629/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"folderge.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759630/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fermembers.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759631/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fuchstone.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759577/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"signateers.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759578/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"boldtidenow.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759579/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"agilliamethod.in.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759580/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"laicos.agilliamethod.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759581/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"boundwateria.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759582/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lghjxbsfek.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759583/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wcuckpfoyy.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759584/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"anglication.gb.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759585/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"etctkplaig.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759586/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"joinelegant.me.uk"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759587/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"allucidal.co.in"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759588/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"transporozone.gr.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759589/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"famountriggest.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759590/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"swamisans.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759591/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dowerldentin.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759592/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"imagesicle.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759593/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"adivionts.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759594/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vmi2608192.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759595/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"behinductive.nl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759596/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"claimantic.uk"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759597/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"buthertaily.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759598/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hideytik.de"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759599/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dmitten.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759600/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"extremble.uk"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759601/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"reconsfol.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759602/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pvfsmqzals.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759603/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"communisted.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759604/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qx56fjn88.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759549/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"transliters.nl"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759550/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"begualt.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759551/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"frontomb.me.uk"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759552/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pervica.org.uk"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759553/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gimenooresman.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759554/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stablessenior.gb.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759555/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"resumerous.gb.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759556/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"railroadcast.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759557/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"descriptide.club"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759558/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pallbears.nl"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759559/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"officiencess.club"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759560/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fantrieslibert.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759561/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"extendous.pro"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759562/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"godriga.co.in"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759563/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hoy02d0hb.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759564/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"malacedonia.de"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759565/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"permingwa.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759566/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"suristind.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759567/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dominents.pro"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759568/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"microbustain.com.se"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759569/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"majounds.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759570/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hadiuse.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759571/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"termenian.gb.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759572/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"muuter.7tcsc.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759573/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dimpyvgnrs.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759574/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zerosoftward.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759575/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dov2fm.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759576/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ebelagbooks.de"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759522/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pfkieixmus.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759523/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"subtletons.us.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759524/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stokes.outritics.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759525/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"elfoce.timbedded.eu.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759526/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"separtist.nl"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759527/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bombined.eu.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759528/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"spowelits.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759529/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"prumhfahkc.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759530/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"politaring.uk"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759531/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eauozbfuyy.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759532/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xynaeqtqur.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759533/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gwagonnnn.silverines.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759534/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"westindcitycenter.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759535/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"outralism.com.de"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759536/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aptivalks.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759537/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ledner.monrovince.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759538/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"claiminated.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759539/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"formulationarch.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759540/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"seconduce.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759541/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"elephor.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759542/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wuyzksyamv.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759543/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nsptbcvfeh.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759544/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"simultilizie.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759545/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cummings.reflectronic.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759546/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"calize.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759547/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"napollup.gb.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759548/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"investmentiful.com.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759495/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thissubdomainshouldonlyresolveifwildcard.hermiston.parates.mex.com"; depth:66; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759496/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"107-150-49-154.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759497/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"638809242571143912.warsaw-shledrc-acat.info"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759498/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bunnyvalents.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759499/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"actering.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759500/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dewittewatermolen.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759501/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"courthelength.ch"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759502/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nichthi.ch"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759503/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stionfireigh.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759504/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jiyndemabr.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759505/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gvuoekiety.marriedricht.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759506/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"willionally.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759507/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"youthwested.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759508/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"attances.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759509/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thatury.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759510/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"daybright.mex.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759511/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"paideakes.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759512/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"authorov.pro"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759513/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fundercos.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759514/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"krumarily.co.in"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759515/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tedurgy.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759516/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stellarluxecore.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759517/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"supportinian.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759518/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"approvidence.de"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759519/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ultiplying.me.uk"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759520/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yundt.capilled.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759521/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"prismcloudemberedge.gr.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759467/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"valenquistry.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759468/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"scandidatest.in"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759469/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"subjectionship.nl"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759470/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"revolumbustic.nl"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759471/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"638820236370106360.tabriz-shledrc-accf.info"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759472/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zorvalantian.nl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759473/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vmi2644314.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759474/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vexophalynic.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759475/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zontryvalics.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759476/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"placedon.uk.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759477/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"builm.net"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759478/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"westernitude.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759479/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"distakes.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759480/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rematogram.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759481/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vmi2631549.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759482/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fsahgalhpq.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759483/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"slhanalehx.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759484/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"snqtszmbem.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759485/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"controller.dream-folded.pluie.rare.kepockele.net"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759486/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"9fia93.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759487/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lzyaswoncx.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759488/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jrvqbitvuu.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759489/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pneumonicle.live"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759490/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eajxfzzkgl.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759491/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thillocentrace.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759492/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"suervo.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759493/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gresidever.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759494/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"postules.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759440/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"holden1104.startdedicated.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759441/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pleseprearty.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759442/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trionymorpha.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759443/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"boldfrost.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759444/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xenovandrite.de"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759445/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"purezenithzenithquest.eu.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759446/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sincentribution.org.uk"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759447/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yondaphluxio.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759448/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ukdzjbffdg.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759449/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wargend.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759450/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"triangelofyx.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759451/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"playgullible.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759452/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vexiloventry.de"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759453/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"whombium.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759454/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lightcascade.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759455/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sovietnamed.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759456/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"servicensus.us"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759457/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"veltracognito.dev"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759458/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"volcanishing.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759459/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pariest.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759460/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"taunae.vejigatorias.uk.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759461/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"holden1101.startdedicated.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759462/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vallenn.uk"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759463/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"metreatments.pro"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759464/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jhzpaxsgvy.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759465/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trackmystatus.in"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759466/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pixelnestnovaedge.me.uk"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759414/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nervoir.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759415/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"genemely.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759416/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rapidechox.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759417/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"summeript.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759418/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ombrazephyrix.dev"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759419/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"saaheleter.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759420/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"penancialister.media"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759421/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"privativities.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759422/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hebattitle.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759423/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smtp.abbott.parates.mex.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759424/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"immangly.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759425/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qriewlinvy.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759426/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"peterstand.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759427/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"universids.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759428/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"209-126-100-81.hinet-ip.hinet.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759429/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"starloom.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759430/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xeravontique.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759431/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quantumflarestarzenith.me.uk"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759432/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quantumpathzenstorm.me.uk"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759433/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"swisscom.giize.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759434/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"prograper.media"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759435/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"airporate.eu.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759436/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"adverturning.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759437/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"syntroglenix.de"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759438/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"squantially.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759439/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"taminese.store"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759386/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zqdutsvaon.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759387/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yidhzcvewv.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759388/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wrivistur.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759389/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"spironethica.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759390/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"donolulu.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759391/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"peakflarepulseforge.org.uk"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759392/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"novashimpath.org.uk"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759393/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ww2.yesmovie.bz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759394/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smtpmail.hermiston.parates.mex.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759395/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"plasmovision.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759396/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"paulicational.media"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759397/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"relay.abbott.parates.mex.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759398/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nuarads.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759399/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smtpauth.hermiston.parates.mex.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759400/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"photroglyzon.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759401/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zenpulsefusion.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759402/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"save7.bazidownloader.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759403/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"grountra.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759404/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"promosomeback.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759405/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gandalone.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759406/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tampion.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759407/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"teached.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759408/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pinchedelive.co.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759409/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"durinct.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759410/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quantumminglex.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759411/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"importities.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759412/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"soutcher.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759413/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ranciscoversion.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759381/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rkjptbfgpc.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759382/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yhgtn16y.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759383/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ptpafwqysn.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759384/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"goosever.org.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759385/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_06; classtype:trojan-activity; sid:91759385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aqua-sync.aquastream.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759380/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stre-v9.aquastream.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759378/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hydro-run.aquastream.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759376/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vant05.trailvantage.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759373/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759373; rev:1;) alert tcp $HOME_NET any -> [168.245.203.143] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759368/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759368; rev:1;) alert tcp $HOME_NET any -> [44.246.33.190] 53307 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759369/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759369; rev:1;) alert tcp $HOME_NET any -> [13.244.112.80] 38297 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759366/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759366; rev:1;) alert tcp $HOME_NET any -> [13.244.112.80] 53097 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759367/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759367; rev:1;) alert tcp $HOME_NET any -> [168.245.203.28] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759365/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759365; rev:1;) alert tcp $HOME_NET any -> [5.95.238.148] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759364/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759364; rev:1;) alert tcp $HOME_NET any -> [79.241.103.78] 82 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759363/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759363; rev:1;) alert tcp $HOME_NET any -> [43.213.178.207] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759362/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759362; rev:1;) alert tcp $HOME_NET any -> [194.104.9.75] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759361/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759361; rev:1;) alert tcp $HOME_NET any -> [62.171.153.214] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759360/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759360; rev:1;) alert tcp $HOME_NET any -> [3.80.92.191] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759359/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759359; rev:1;) alert tcp $HOME_NET any -> [103.83.86.58] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759358/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759358; rev:1;) alert tcp $HOME_NET any -> [178.16.52.145] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759357/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759357; rev:1;) alert tcp $HOME_NET any -> [143.92.51.45] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759356/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"trail-net.trailvantage.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759351/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lamon.ddns.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759350/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vant-v8.trailvantage.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759343/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"logi-base.trailvantage.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759342/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sent03.skysentry.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759341/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sky-gate.skysentry.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759340/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sent-v7.skysentry.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759339/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aero-hub.skysentry.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759338/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"link08.organiclink.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759337/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"orga-sync.organiclink.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759336/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759336; rev:1;) alert tcp $HOME_NET any -> [173.212.212.109] 1337 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759335/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759335; rev:1;) alert tcp $HOME_NET any -> [168.245.203.113] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759334/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759334; rev:1;) alert tcp $HOME_NET any -> [168.245.203.61] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759333/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759333; rev:1;) alert tcp $HOME_NET any -> [109.172.87.216] 443 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759332/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759332; rev:1;) alert tcp $HOME_NET any -> [194.36.178.53] 4321 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759331/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759331; rev:1;) alert tcp $HOME_NET any -> [147.27.121.6] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759330/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759330; rev:1;) alert tcp $HOME_NET any -> [23.177.185.166] 6666 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759329/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_06; classtype:trojan-activity; sid:91759329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"link-v6.organiclink.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759328/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bio-trace.organiclink.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759326/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pulse02.metropulse.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759325/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"metro-net.metropulse.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759324/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pulse-v5.metropulse.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759323/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"urban-sys.metropulse.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759322/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nest09.cryptonest.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759321/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getting-acquisitions.gl.at.ply.gg"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759320/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thestreamhub.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759319/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759319; rev:1;) alert tcp $HOME_NET any -> [176.65.132.29] 2406 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759318/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigbang.co.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759316/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.bigbang.co.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759317/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"197laststop.it.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759315/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.xoilaczzlz.tv"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759302/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.coversproject.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759303/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.xoilac365ze.tv"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759304/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.xoilaczzlz.tv"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759305/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.coversproject.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759306/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.xoilac365ze.tv"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759307/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.xoilaczzlz.tv"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759308/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.coversproject.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759309/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.xoilac365ze.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759310/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.xoilaczzlz.tv"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759311/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.coversproject.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759312/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.xoilac365ze.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759313/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.xoilaczzlz.tv"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759314/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.coversproject.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759288/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.xoilac365ze.tv"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759289/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.xoilaczzlz.tv"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759290/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.coversproject.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759291/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.xoilac365ze.tv"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759292/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.xoilaczzlz.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759293/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.coversproject.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759294/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.xoilac365ze.tv"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759295/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.xoilaczzlz.tv"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759296/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.coversproject.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759297/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.xoilac365ze.tv"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759298/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.xoilaczzlz.tv"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759299/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.coversproject.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759300/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.xoilac365ze.tv"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759301/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759301; rev:1;) alert tcp $HOME_NET any -> [159.65.72.184] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759281/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759281; rev:1;) alert tcp $HOME_NET any -> [46.101.94.33] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759280/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759280; rev:1;) alert tcp $HOME_NET any -> [178.128.174.202] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759279/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759279; rev:1;) alert tcp $HOME_NET any -> [206.189.72.196] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759278/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759278; rev:1;) alert tcp $HOME_NET any -> [165.227.66.229] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759277/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759277; rev:1;) alert tcp $HOME_NET any -> [159.65.56.1] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759276/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759276; rev:1;) alert tcp $HOME_NET any -> [206.189.72.192] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759275/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759275; rev:1;) alert tcp $HOME_NET any -> [167.172.150.241] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759274/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759274; rev:1;) alert tcp $HOME_NET any -> [143.110.174.5] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759273/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759273; rev:1;) alert tcp $HOME_NET any -> [161.35.37.48] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759272/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nest-v4.cryptonest.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759270/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"data-vault.cryptonest.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759269/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brid01.fluxbridge.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759268/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flux-net.fluxbridge.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759267/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brid-v3.fluxbridge.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759266/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759266; rev:1;) alert tcp $HOME_NET any -> [157.230.90.32] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759265/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759265; rev:1;) alert tcp $HOME_NET any -> [167.71.136.207] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759264/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759264; rev:1;) alert tcp $HOME_NET any -> [104.236.213.248] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759263/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759263; rev:1;) alert tcp $HOME_NET any -> [146.190.78.246] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759262/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759262; rev:1;) alert tcp $HOME_NET any -> [46.101.87.8] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759261/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759261; rev:1;) alert tcp $HOME_NET any -> [157.245.40.115] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759260/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759260; rev:1;) alert tcp $HOME_NET any -> [138.68.252.127] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759259/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759259; rev:1;) alert tcp $HOME_NET any -> [159.223.100.231] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759258/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759258; rev:1;) alert tcp $HOME_NET any -> [178.62.195.131] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759257/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"matr07.fieldmatrix.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759255/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"field-sync.fieldmatrix.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759254/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"matr-v2.fieldmatrix.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759253/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agro-unit.fieldmatrix.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759252/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"view04.tectoniview.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759251/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tecto-sync.tectoniview.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759250/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"view-v1.tectoniview.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759249/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cyber-node.tectoniview.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759248/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759248; rev:1;) alert tcp $HOME_NET any -> [178.128.148.120] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759247/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759247; rev:1;) alert tcp $HOME_NET any -> [138.68.31.127] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759246/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759246; rev:1;) alert tcp $HOME_NET any -> [164.92.219.1] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759245/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759245; rev:1;) alert tcp $HOME_NET any -> [165.232.39.23] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759244/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759244; rev:1;) alert tcp $HOME_NET any -> [46.101.82.104] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759243/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759243; rev:1;) alert tcp $HOME_NET any -> [138.68.165.137] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759242/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759242; rev:1;) alert tcp $HOME_NET any -> [192.81.217.8] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759241/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759241; rev:1;) alert tcp $HOME_NET any -> [45.55.134.170] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759240/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759240; rev:1;) alert tcp $HOME_NET any -> [167.71.6.213] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759239/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lose06.amperelose.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759237/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"amp-v1.amperelose.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759236/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"volt-sync.amperelose.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759235/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"amp-lose.amperelose.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759231/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759231; rev:1;) alert tcp $HOME_NET any -> [45.149.235.215] 8888 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759220/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759220; rev:1;) alert tcp $HOME_NET any -> [82.180.139.121] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759219/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759219; rev:1;) alert tcp $HOME_NET any -> [45.74.26.168] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759217/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759217; rev:1;) alert tcp $HOME_NET any -> [172.111.233.66] 5900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759218/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759218; rev:1;) alert tcp $HOME_NET any -> [213.142.148.166] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759215/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759215; rev:1;) alert tcp $HOME_NET any -> [192.169.6.122] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759216/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759216; rev:1;) alert tcp $HOME_NET any -> [92.118.127.79] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759214/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759214; rev:1;) alert tcp $HOME_NET any -> [96.44.159.151] 14645 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759212/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759212; rev:1;) alert tcp $HOME_NET any -> [31.57.216.97] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759213/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759213; rev:1;) alert tcp $HOME_NET any -> [20.206.241.173] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759210/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759210; rev:1;) alert tcp $HOME_NET any -> [198.135.54.85] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759211/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759211; rev:1;) alert tcp $HOME_NET any -> [96.44.159.225] 14645 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759208/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759208; rev:1;) alert tcp $HOME_NET any -> [96.44.159.222] 14645 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759209/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759209; rev:1;) alert tcp $HOME_NET any -> [156.234.67.21] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759207/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759207; rev:1;) alert tcp $HOME_NET any -> [209.59.184.78] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759202/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759202; rev:1;) alert tcp $HOME_NET any -> [23.226.56.219] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759203/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759203; rev:1;) alert tcp $HOME_NET any -> [156.234.67.25] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759204/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759204; rev:1;) alert tcp $HOME_NET any -> [156.234.252.203] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759205/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759205; rev:1;) alert tcp $HOME_NET any -> [23.235.177.18] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759206/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759206; rev:1;) alert tcp $HOME_NET any -> [103.44.88.29] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759199/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759199; rev:1;) alert tcp $HOME_NET any -> [185.213.60.60] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759200/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759200; rev:1;) alert tcp $HOME_NET any -> [156.234.67.10] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759201/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759201; rev:1;) alert tcp $HOME_NET any -> [156.234.252.201] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759196/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759196; rev:1;) alert tcp $HOME_NET any -> [103.44.90.114] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759197/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759197; rev:1;) alert tcp $HOME_NET any -> [185.213.60.49] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759198/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759198; rev:1;) alert tcp $HOME_NET any -> [156.234.67.12] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759193/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759193; rev:1;) alert tcp $HOME_NET any -> [156.234.67.13] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759194/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759194; rev:1;) alert tcp $HOME_NET any -> [23.235.177.29] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759195/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759195; rev:1;) alert tcp $HOME_NET any -> [23.226.56.222] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759189/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759189; rev:1;) alert tcp $HOME_NET any -> [156.234.252.216] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759190/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759190; rev:1;) alert tcp $HOME_NET any -> [103.44.90.108] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759191/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759191; rev:1;) alert tcp $HOME_NET any -> [23.226.56.203] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759186/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759186; rev:1;) alert tcp $HOME_NET any -> [185.213.60.34] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759187/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759187; rev:1;) alert tcp $HOME_NET any -> [23.235.177.30] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759188/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759188; rev:1;) alert tcp $HOME_NET any -> [103.44.90.123] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759183/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759183; rev:1;) alert tcp $HOME_NET any -> [23.226.56.211] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759184/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759184; rev:1;) alert tcp $HOME_NET any -> [156.234.67.28] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759185/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759185; rev:1;) alert tcp $HOME_NET any -> [156.234.252.218] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759180/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759180; rev:1;) alert tcp $HOME_NET any -> [156.234.67.3] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759181/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759181; rev:1;) alert tcp $HOME_NET any -> [23.235.177.25] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759182/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759182; rev:1;) alert tcp $HOME_NET any -> [23.226.56.197] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759178/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759178; rev:1;) alert tcp $HOME_NET any -> [156.234.252.211] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759179/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759179; rev:1;) alert tcp $HOME_NET any -> [23.235.177.1] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759175/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759175; rev:1;) alert tcp $HOME_NET any -> [23.226.56.216] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759176/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759176; rev:1;) alert tcp $HOME_NET any -> [156.234.67.20] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759177/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759177; rev:1;) alert tcp $HOME_NET any -> [23.235.177.21] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759173/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759173; rev:1;) alert tcp $HOME_NET any -> [156.234.67.17] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759174/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759174; rev:1;) alert tcp $HOME_NET any -> [185.213.60.61] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759170/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759170; rev:1;) alert tcp $HOME_NET any -> [185.213.60.57] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759171/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759171; rev:1;) alert tcp $HOME_NET any -> [23.248.213.180] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759172/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759172; rev:1;) alert tcp $HOME_NET any -> [23.226.56.194] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759167/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759167; rev:1;) alert tcp $HOME_NET any -> [23.226.56.198] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759168/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759168; rev:1;) alert tcp $HOME_NET any -> [23.235.177.22] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759169/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759169; rev:1;) alert tcp $HOME_NET any -> [156.234.67.16] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759165/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759165; rev:1;) alert tcp $HOME_NET any -> [23.235.177.19] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759166/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759166; rev:1;) alert tcp $HOME_NET any -> [23.248.213.174] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759161/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759161; rev:1;) alert tcp $HOME_NET any -> [103.44.88.11] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759162/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759162; rev:1;) alert tcp $HOME_NET any -> [156.234.67.1] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759163/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759163; rev:1;) alert tcp $HOME_NET any -> [103.44.88.24] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759164/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759164; rev:1;) alert tcp $HOME_NET any -> [185.213.60.56] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759158/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759158; rev:1;) alert tcp $HOME_NET any -> [23.226.56.220] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759159/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759159; rev:1;) alert tcp $HOME_NET any -> [185.213.60.39] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759160/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759160; rev:1;) alert tcp $HOME_NET any -> [23.235.177.15] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759155/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759155; rev:1;) alert tcp $HOME_NET any -> [185.213.60.62] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759156/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759156; rev:1;) alert tcp $HOME_NET any -> [156.234.252.205] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759157/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759157; rev:1;) alert tcp $HOME_NET any -> [103.44.88.27] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759152/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759152; rev:1;) alert tcp $HOME_NET any -> [23.248.213.184] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759153/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759153; rev:1;) alert tcp $HOME_NET any -> [185.213.60.53] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759154/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759154; rev:1;) alert tcp $HOME_NET any -> [103.44.90.111] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759150/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759150; rev:1;) alert tcp $HOME_NET any -> [156.234.67.19] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759151/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759151; rev:1;) alert tcp $HOME_NET any -> [23.226.56.205] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759146/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759146; rev:1;) alert tcp $HOME_NET any -> [185.213.60.33] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759147/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759147; rev:1;) alert tcp $HOME_NET any -> [156.234.67.5] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759148/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759148; rev:1;) alert tcp $HOME_NET any -> [156.234.67.22] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759149/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759149; rev:1;) alert tcp $HOME_NET any -> [23.235.177.5] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759143/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759143; rev:1;) alert tcp $HOME_NET any -> [156.234.252.194] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759144/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759144; rev:1;) alert tcp $HOME_NET any -> [23.226.56.212] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759145/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759145; rev:1;) alert tcp $HOME_NET any -> [23.226.56.196] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759140/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759140; rev:1;) alert tcp $HOME_NET any -> [156.234.252.210] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759141/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759141; rev:1;) alert tcp $HOME_NET any -> [23.226.56.202] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759142/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759142; rev:1;) alert tcp $HOME_NET any -> [156.234.252.198] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759138/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759138; rev:1;) alert tcp $HOME_NET any -> [156.234.252.204] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759139/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759139; rev:1;) alert tcp $HOME_NET any -> [23.226.56.208] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759135/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759135; rev:1;) alert tcp $HOME_NET any -> [103.44.88.18] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759136/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759136; rev:1;) alert tcp $HOME_NET any -> [185.213.60.47] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759137/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759137; rev:1;) alert tcp $HOME_NET any -> [185.213.60.51] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759132/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759132; rev:1;) alert tcp $HOME_NET any -> [23.226.56.217] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759133/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759133; rev:1;) alert tcp $HOME_NET any -> [103.44.88.13] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759134/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759134; rev:1;) alert tcp $HOME_NET any -> [23.226.56.195] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759130/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759130; rev:1;) alert tcp $HOME_NET any -> [23.248.213.185] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759131/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759131; rev:1;) alert tcp $HOME_NET any -> [23.235.177.2] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759129/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759129; rev:1;) alert tcp $HOME_NET any -> [23.235.177.16] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759127/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759127; rev:1;) alert tcp $HOME_NET any -> [156.234.252.217] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759128/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759128; rev:1;) alert tcp $HOME_NET any -> [23.226.56.209] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759126/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759126; rev:1;) alert tcp $HOME_NET any -> [23.226.56.213] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759124/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759124; rev:1;) alert tcp $HOME_NET any -> [185.213.60.48] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759125/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759125; rev:1;) alert tcp $HOME_NET any -> [103.44.88.14] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759123/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759123; rev:1;) alert tcp $HOME_NET any -> [23.235.177.27] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759121/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759121; rev:1;) alert tcp $HOME_NET any -> [23.248.213.165] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759122/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759122; rev:1;) alert tcp $HOME_NET any -> [23.248.213.178] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759119/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759119; rev:1;) alert tcp $HOME_NET any -> [67.225.255.139] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759120/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759120; rev:1;) alert tcp $HOME_NET any -> [156.234.67.8] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759117/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759117; rev:1;) alert tcp $HOME_NET any -> [23.248.213.189] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759118/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759118; rev:1;) alert tcp $HOME_NET any -> [103.44.88.30] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759116/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759116; rev:1;) alert tcp $HOME_NET any -> [23.235.177.13] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759114/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759114; rev:1;) alert tcp $HOME_NET any -> [156.234.252.222] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759115/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759115; rev:1;) alert tcp $HOME_NET any -> [185.213.60.42] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759112/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759112; rev:1;) alert tcp $HOME_NET any -> [156.234.67.6] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759113/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759113; rev:1;) alert tcp $HOME_NET any -> [156.234.252.208] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759110/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759110; rev:1;) alert tcp $HOME_NET any -> [23.235.177.7] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759111/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759111; rev:1;) alert tcp $HOME_NET any -> [103.44.90.106] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759108/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759108; rev:1;) alert tcp $HOME_NET any -> [23.235.177.23] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759109/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759109; rev:1;) alert tcp $HOME_NET any -> [156.234.252.219] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759106/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759106; rev:1;) alert tcp $HOME_NET any -> [156.234.67.26] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759107/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759107; rev:1;) alert tcp $HOME_NET any -> [156.234.67.23] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759104/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759104; rev:1;) alert tcp $HOME_NET any -> [185.213.60.52] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759105/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759105; rev:1;) alert tcp $HOME_NET any -> [185.213.60.55] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759101/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759101; rev:1;) alert tcp $HOME_NET any -> [156.234.67.24] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759102/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759102; rev:1;) alert tcp $HOME_NET any -> [185.213.60.35] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759103/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759103; rev:1;) alert tcp $HOME_NET any -> [103.44.88.5] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759098/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759098; rev:1;) alert tcp $HOME_NET any -> [156.234.252.200] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759099/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759099; rev:1;) alert tcp $HOME_NET any -> [23.226.56.204] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759100/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759100; rev:1;) alert tcp $HOME_NET any -> [23.235.177.26] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759096/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759096; rev:1;) alert tcp $HOME_NET any -> [185.213.60.54] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759097/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759097; rev:1;) alert tcp $HOME_NET any -> [23.235.177.24] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759094/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759094; rev:1;) alert tcp $HOME_NET any -> [23.248.213.179] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759095/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759095; rev:1;) alert tcp $HOME_NET any -> [156.234.252.202] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759092/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759092; rev:1;) alert tcp $HOME_NET any -> [156.234.252.213] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759093/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759093; rev:1;) alert tcp $HOME_NET any -> [156.234.252.195] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759090/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759090; rev:1;) alert tcp $HOME_NET any -> [23.226.56.215] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759091/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759091; rev:1;) alert tcp $HOME_NET any -> [23.235.177.6] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759087/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759087; rev:1;) alert tcp $HOME_NET any -> [156.234.252.196] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759088/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759088; rev:1;) alert tcp $HOME_NET any -> [23.235.177.17] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759089/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759089; rev:1;) alert tcp $HOME_NET any -> [185.213.60.59] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759083/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759083; rev:1;) alert tcp $HOME_NET any -> [156.234.67.2] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759084/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759084; rev:1;) alert tcp $HOME_NET any -> [103.44.90.109] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759085/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759085; rev:1;) alert tcp $HOME_NET any -> [103.44.90.119] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759086/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759086; rev:1;) alert tcp $HOME_NET any -> [23.248.213.172] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759081/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759081; rev:1;) alert tcp $HOME_NET any -> [156.234.67.18] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759082/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759082; rev:1;) alert tcp $HOME_NET any -> [23.235.177.10] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759079/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759079; rev:1;) alert tcp $HOME_NET any -> [156.234.252.206] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759080/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759080; rev:1;) alert tcp $HOME_NET any -> [185.213.60.37] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759076/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759076; rev:1;) alert tcp $HOME_NET any -> [156.234.252.197] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759077/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759077; rev:1;) alert tcp $HOME_NET any -> [156.234.252.215] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759078/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759078; rev:1;) alert tcp $HOME_NET any -> [185.213.60.41] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759073/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759073; rev:1;) alert tcp $HOME_NET any -> [103.44.88.28] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759074/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759074; rev:1;) alert tcp $HOME_NET any -> [103.44.90.117] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759075/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759075; rev:1;) alert tcp $HOME_NET any -> [23.235.177.12] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759071/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759071; rev:1;) alert tcp $HOME_NET any -> [23.248.213.169] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759072/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759072; rev:1;) alert tcp $HOME_NET any -> [185.213.60.44] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759068/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759068; rev:1;) alert tcp $HOME_NET any -> [23.235.177.8] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759069/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759069; rev:1;) alert tcp $HOME_NET any -> [156.234.67.14] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759070/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759070; rev:1;) alert tcp $HOME_NET any -> [23.235.177.9] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759065/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759065; rev:1;) alert tcp $HOME_NET any -> [103.44.90.103] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759066/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759066; rev:1;) alert tcp $HOME_NET any -> [103.44.90.120] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759067/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759067; rev:1;) alert tcp $HOME_NET any -> [156.234.252.214] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759062/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759062; rev:1;) alert tcp $HOME_NET any -> [23.226.56.210] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759063/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759063; rev:1;) alert tcp $HOME_NET any -> [185.213.60.43] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759064/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759064; rev:1;) alert tcp $HOME_NET any -> [156.234.67.7] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759060/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759060; rev:1;) alert tcp $HOME_NET any -> [156.234.67.30] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759061/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759061; rev:1;) alert tcp $HOME_NET any -> [156.234.252.212] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759058/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759058; rev:1;) alert tcp $HOME_NET any -> [23.235.177.3] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759059/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759059; rev:1;) alert tcp $HOME_NET any -> [185.213.60.58] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759056/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759056; rev:1;) alert tcp $HOME_NET any -> [23.226.56.200] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759057/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759057; rev:1;) alert tcp $HOME_NET any -> [156.234.252.221] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759054/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759054; rev:1;) alert tcp $HOME_NET any -> [156.234.67.27] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759055/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759055; rev:1;) alert tcp $HOME_NET any -> [185.213.60.36] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759052/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759052; rev:1;) alert tcp $HOME_NET any -> [23.226.56.193] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759053/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759053; rev:1;) alert tcp $HOME_NET any -> [156.234.67.4] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759050/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759050; rev:1;) alert tcp $HOME_NET any -> [156.234.67.9] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759051/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759051; rev:1;) alert tcp $HOME_NET any -> [156.234.252.207] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759048/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759048; rev:1;) alert tcp $HOME_NET any -> [23.248.213.181] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759049/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759049; rev:1;) alert tcp $HOME_NET any -> [156.234.67.11] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759047/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759047; rev:1;) alert tcp $HOME_NET any -> [23.226.56.218] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759046/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759046; rev:1;) alert tcp $HOME_NET any -> [23.235.177.11] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759044/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759044; rev:1;) alert tcp $HOME_NET any -> [185.213.60.50] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759045/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759045; rev:1;) alert tcp $HOME_NET any -> [156.234.67.15] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759042/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759042; rev:1;) alert tcp $HOME_NET any -> [103.44.90.99] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759043/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759043; rev:1;) alert tcp $HOME_NET any -> [156.234.252.209] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759040/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759040; rev:1;) alert tcp $HOME_NET any -> [185.213.60.45] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759041/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759041; rev:1;) alert tcp $HOME_NET any -> [23.226.56.221] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759038/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759038; rev:1;) alert tcp $HOME_NET any -> [103.44.90.102] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759039/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759039; rev:1;) alert tcp $HOME_NET any -> [23.226.56.206] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759036/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759036; rev:1;) alert tcp $HOME_NET any -> [23.235.177.28] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759037/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759037; rev:1;) alert tcp $HOME_NET any -> [156.234.252.220] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759034/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759034; rev:1;) alert tcp $HOME_NET any -> [103.44.90.126] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759035/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759035; rev:1;) alert tcp $HOME_NET any -> [185.213.60.46] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759032/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759032; rev:1;) alert tcp $HOME_NET any -> [23.226.56.199] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759033/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759033; rev:1;) alert tcp $HOME_NET any -> [23.235.177.14] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759031/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759031; rev:1;) alert tcp $HOME_NET any -> [108.187.4.252] 448 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759030/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kero-net.avonkerosene.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759029/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"avon-core.avonkerosene.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759028/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maku07.makuhaportfol.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759027/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"port-v8.makuhaportfol.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759026/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maku-base.makuhaportfol.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759025/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"port-fol.makuhaportfol.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759024/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"synch03.corvetsynchron.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759023/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759023; rev:1;) alert tcp $HOME_NET any -> [46.149.77.24] 443 (msg:"ThreatFox Amatera botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759022/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"net-hub.commundesign.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758964/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758964; rev:1;) alert tcp $HOME_NET any -> [137.184.111.42] 9034 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758975/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"com04.commundesign.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758976/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"soup-node.coachsoup.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758978/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758978; rev:1;) alert tcp $HOME_NET any -> [45.55.77.196] 9034 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758979/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"soup09.coachsoup.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758981/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"const-gate.constelluntrav.in.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758982/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/taffy/esta/eleonore/malissia/elle/annadiana/kania/wrennie/fern"; depth:63; nocase; http.host; content:"blankeyeo.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758986/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"skird-net.breakskird.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758992/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"skird05.breakskird.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758994/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hryv08.hryvmicrobiol.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759005/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hryv-node.hryvmicrobiol.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759003/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.craftyinkymagic.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759006/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"big-prog.bigamyprogramm.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759007/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sys-node.bigamyprogramm.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759008/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"prog-v6.bigamyprogramm.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759009/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"47.105.117.209"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1759018/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759018; rev:1;) alert tcp $HOME_NET any -> [146.190.227.147] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759021/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dldo3-53471.portmap.host"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759020/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"motchillio.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759019/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"corvet-v7.corvetsynchron.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759017/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dinosaursjam.cfd"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759016/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"achievershelf.space"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759015/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759015; rev:1;) alert tcp $HOME_NET any -> [77.91.96.205] 443 (msg:"ThreatFox Amatera botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759014/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"synch-node.corvetsynchron.in.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759013/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759013; rev:1;) alert tcp $HOME_NET any -> [91.84.104.126] 443 (msg:"ThreatFox Amatera botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1759012/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91759012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"corvet-sync.corvetsynchron.in.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759011/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"big02.bigamyprogramm.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759010/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"micro-v5.hryvmicrobiol.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759004/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saj.gr.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759002/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"acsmoney.in.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759001/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ufb.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1759000/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91759000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"55gamei.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758999/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"broadres7.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758998/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diceroller.us.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758997/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"officedesk2026.4nmn.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758996/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"micro-bio.hryvmicrobiol.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758995/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"break-v4.breakskird.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758993/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dog.myserver.com.bd"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758990/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dog.cricket-physio.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758991/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dog.myserver.com.bd"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758988/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dog.cricket-physio.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758989/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"break-unit.breakskird.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758987/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"trav01.constelluntrav.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758985/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"const-v3.constelluntrav.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758984/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"trav-base.constelluntrav.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758983/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coach-v2.coachsoup.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758980/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coach-sync.coachsoup.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758977/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758977; rev:1;) alert tcp $HOME_NET any -> [147.182.251.17] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758974/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758974; rev:1;) alert tcp $HOME_NET any -> [40.192.37.0] 12291 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758973/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758973; rev:1;) alert tcp $HOME_NET any -> [40.192.37.0] 4841 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758972/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758972; rev:1;) alert tcp $HOME_NET any -> [149.88.76.102] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758971/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"caregiveme.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758970/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758970; rev:1;) alert tcp $HOME_NET any -> [45.137.205.36] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758969/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758969; rev:1;) alert tcp $HOME_NET any -> [176.65.132.31] 2405 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758968/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758968; rev:1;) alert tcp $HOME_NET any -> [92.46.3.252] 15000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758967/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758967; rev:1;) alert tcp $HOME_NET any -> [23.248.213.103] 3620 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758966/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"design-v1.commundesign.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758965/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758965; rev:1;) alert tcp $HOME_NET any -> [45.55.77.196] 34567 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758963/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.mythic.cymru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758961/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758961; rev:1;) alert tcp $HOME_NET any -> [167.71.73.197] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758960/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"com-design.commundesign.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758962/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mimi-knotline.mimisttie.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758959/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758959; rev:1;) alert tcp $HOME_NET any -> [167.99.42.180] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758952/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758952; rev:1;) alert tcp $HOME_NET any -> [137.184.215.213] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758954/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keys"; depth:5; nocase; http.host; content:"45.83.140.55"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758956/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"micasaestucasa.mx"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758957/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tinythread.mimisttie.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758958/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zk8q4.mimisttie.in.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758955/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"geo-p1levector.geodesistpile.in.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758953/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"surveyrock.geodesistpile.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758951/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validateorder.php"; depth:18; nocase; http.host; content:"wirelessat.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758950/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7wz3.geodesistpile.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758949/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w9m2kx.alaspasteur.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758922/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758922; rev:1;) alert tcp $HOME_NET any -> [161.35.171.177] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758925/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758925; rev:1;) alert tcp $HOME_NET any -> [89.23.103.60] 7001 (msg:"ThreatFox zgRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758926/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758926; rev:1;) alert tcp $HOME_NET any -> [80.97.160.190] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 55%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758936/; target:src_ip; metadata: confidence_level 55, first_seen 2026_03_05; classtype:trojan-activity; sid:91758936; rev:1;) alert tcp $HOME_NET any -> [213.165.57.216] 443 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 76%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758937/; target:src_ip; metadata: confidence_level 76, first_seen 2026_03_05; classtype:trojan-activity; sid:91758937; rev:1;) alert tcp $HOME_NET any -> [64.227.37.151] 9034 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758941/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/five/five/pvqdq929bsx_a_d_m1n_a.php"; depth:45; nocase; http.host; content:"electrico.co.zw"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758945/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"engrave-vel0ur.engravevelvet.in.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758948/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miso88s.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758947/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"79sodo.media"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758946/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pftkv.sa.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758944/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"softcarve.engravevelvet.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758943/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y6xq9.engravevelvet.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758942/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aliyun.commandandcontrol.top"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758940/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91758940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"esaul-frostline.esaulsnow.in.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758939/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wintertrail.esaulsnow.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758938/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v8q2r.esaulsnow.in.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758935/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"infant-woodgrid.infantwoodman.in.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758934/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"youngtimber.infantwoodman.in.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758933/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xk39q.infantwoodman.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758932/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"magnes-core.magnesshabas.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758931/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4enjfmcl.wallnapalm.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758930/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1vqo4dqo.wallnapalm.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758929/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sabbathforge.magnesshabas.in.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758928/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nq7w5.magnesshabas.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758927/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pasteur0-lab.alaspasteur.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758924/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"labculture.alaspasteur.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758923/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gl4ss-hollow.sheetglass.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758921/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"onlin3doculoadin3.pro"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758855/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"onlin3doculoadin3.pro"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758856/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aljudiglobal.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758857/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aljudiglobal.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758858/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"micasaestucasa.mx"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758860/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"micasaestucasa.mx"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758859/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pmbaruah.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758861/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pmbaruah.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758862/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sandipregmi7.com.np"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758863/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sandipregmi7.com.np"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758864/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sman1secanggang.sch.id"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758866/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sozvpltds.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758874/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sman1secanggang.sch.id"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758867/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hello32423423/test.ps1/refs/heads/main/test.ps1"; depth:48; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758872/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/captcha.txt"; depth:12; nocase; http.host; content:"sozvpltds.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758875/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758875; rev:1;) alert tcp $HOME_NET any -> [167.71.73.197] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758876/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"barbadoscancersociety.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758877/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"fivetech.co"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758878/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"offercentralm.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758879/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"m.erbildecoor.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758880/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sergiostest.offercentralmedia.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758881/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"smokeylife.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758882/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smokeylife.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758883/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"affiliates.offercentralmedia.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758892/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lubazra.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758896/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.php"; depth:6; nocase; http.host; content:"lubazra.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758897/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bitcog.com.de"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758906/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bitcog.com.de"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758907/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758907; rev:1;) alert tcp $HOME_NET any -> [159.89.46.211] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758909/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758909; rev:1;) alert tcp $HOME_NET any -> [130.12.180.78] 1999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758920/; target:src_ip; metadata: confidence_level 80, first_seen 2026_03_05; classtype:trojan-activity; sid:91758920; rev:1;) alert tcp $HOME_NET any -> [121.127.233.109] 77 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758919/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758919; rev:1;) alert tcp $HOME_NET any -> [3.143.213.228] 8080 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758918/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758918; rev:1;) alert tcp $HOME_NET any -> [76.13.215.54] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758917/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758917; rev:1;) alert tcp $HOME_NET any -> [15.156.202.59] 56755 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758916/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758916; rev:1;) alert tcp $HOME_NET any -> [15.156.202.59] 51005 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758915/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758915; rev:1;) alert tcp $HOME_NET any -> [200.100.117.21] 7000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758914/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758914; rev:1;) alert tcp $HOME_NET any -> [50.114.179.235] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758913/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758913; rev:1;) alert tcp $HOME_NET any -> [31.58.220.250] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758912/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758912; rev:1;) alert tcp $HOME_NET any -> [185.213.60.38] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758911/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758911; rev:1;) alert tcp $HOME_NET any -> [23.226.56.214] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758910/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fgwfa66x.isconizloty.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758908/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y94slh1u.isconizloty.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758905/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"clearpane.sheetglass.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758904/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mimigoeseandbenneill.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758903/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t8qzr.sheetglass.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758902/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vityaz1-edge.bulgarvityaz.in.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758901/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bornlny.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758899/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"staroga.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758900/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"milosmilivojevic.rs"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758898/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ironknight.bulgarvityaz.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758895/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"millvalley.backtalk.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758894/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758894; rev:1;) alert tcp $HOME_NET any -> [107.172.13.248] 8787 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758893/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tcp3.tunnel4.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758891/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdf.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758890/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"789win.br.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758889/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcn.cn.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758888/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"si.sa.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758887/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k5ia90w1.beleananniver.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758886/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qfm9hvy9.beleananniver.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758885/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qz3x8v.bulgarvityaz.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758884/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ecuad0r-mesh.ecuadoriangas.in.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758873/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nah.myserver.com.bd"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758870/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nah.cricket-physio.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758871/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nah.myserver.com.bd"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758868/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nah.cricket-physio.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758869/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"wirelessat.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1758865/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91758865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"upnewskill.asia"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758744/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pixelinks.co.uk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758745/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rxwinone.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758746/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"reddycolour.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758747/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"westindiesrum.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758748/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"realmoney999.uno"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758749/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cryptotion.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758751/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cryptotion.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758752/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"creativejunction.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758753/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"creativejunction.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758754/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"barbadosplanningsociety.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758755/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"barbadosplanningsociety.org"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758756/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"barbadoscancersociety.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758757/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"barbadoscancersociety.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758758/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sergiostest.offercentralmedia.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758759/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sergiostest.offercentralmedia.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758760/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fivetech.co"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758791/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"fivetech.co"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758792/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alpha.erbildecoor.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758815/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"alpha.erbildecoor.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758818/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"movilidadtest.fivetech.co"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758827/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"movilidadtest.fivetech.co"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758828/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"m.erbildecoor.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758845/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m.erbildecoor.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758844/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"affiliates.offercentralmedia.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758846/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"msonfire.website"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758847/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mkicau.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758848/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"92dadu1.online"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758849/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cryptotion.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758850/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"affiliates.offercentralmedia.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758851/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ukpod.co.uk"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758852/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ukpod.co.uk"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758853/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mikedettra.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758854/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"andesfuel.ecuadoriangas.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758843/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"femboykisserkissmyboyandeatingsomecheeseburgerbiggestdihball.vietnamddns.com"; depth:76; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758841/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"moiamonprime.myddns.me"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758842/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc"; depth:3; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758840/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bfsgd3f/index.php"; depth:18; nocase; http.host; content:"support.avs4soft.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758838/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bfsgd3f/index.php"; depth:18; nocase; http.host; content:"support.office365excel.xyz"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758839/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ustk.useevintage.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758837/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mikalamarrone.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758836/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0bbfbb85010e4111.php"; depth:21; nocase; http.host; content:"185.123.102.253"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758835/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth"; depth:5; nocase; http.host; content:"147.93.4.113"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758834/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth"; depth:5; nocase; http.host; content:"207.246.115.233"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758833/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758833; rev:1;) alert tcp $HOME_NET any -> [139.144.167.21] 443 (msg:"ThreatFox xmrig botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758832/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758832; rev:1;) alert tcp $HOME_NET any -> [118.122.8.155] 28443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758831/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758831; rev:1;) alert tcp $HOME_NET any -> [88.210.13.112] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758830/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758830; rev:1;) alert tcp $HOME_NET any -> [45.138.16.99] 5555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758829/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758829; rev:1;) alert tcp $HOME_NET any -> [8.228.95.3] 8080 (msg:"ThreatFox Unknown Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758826/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758826; rev:1;) alert tcp $HOME_NET any -> [3.214.88.13] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758824/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758824; rev:1;) alert tcp $HOME_NET any -> [120.26.88.1] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758823/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758823; rev:1;) alert tcp $HOME_NET any -> [176.82.217.131] 6001 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758822/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758822; rev:1;) alert tcp $HOME_NET any -> [118.122.8.155] 12407 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758821/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758821; rev:1;) alert tcp $HOME_NET any -> [37.107.170.53] 4524 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758820/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758820; rev:1;) alert tcp $HOME_NET any -> [149.12.67.177] 6379 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758819/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758819; rev:1;) alert tcp $HOME_NET any -> [129.132.63.206] 80 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758817/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758817; rev:1;) alert tcp $HOME_NET any -> [84.132.18.218] 80 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758816/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758816; rev:1;) alert tcp $HOME_NET any -> [117.209.90.21] 50080 (msg:"ThreatFox Mozi botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758813/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758813; rev:1;) alert tcp $HOME_NET any -> [117.205.84.145] 33060 (msg:"ThreatFox Mozi botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758814/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758814; rev:1;) alert tcp $HOME_NET any -> [117.242.196.149] 49688 (msg:"ThreatFox Mozi botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758811/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758811; rev:1;) alert tcp $HOME_NET any -> [117.209.21.103] 60443 (msg:"ThreatFox Mozi botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758812/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758812; rev:1;) alert tcp $HOME_NET any -> [101.36.114.66] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758809/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758809; rev:1;) alert tcp $HOME_NET any -> [152.32.243.178] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758810/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758810; rev:1;) alert tcp $HOME_NET any -> [118.194.248.134] 443 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758807/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758807; rev:1;) alert tcp $HOME_NET any -> [152.32.138.146] 443 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758808/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758808; rev:1;) alert tcp $HOME_NET any -> [143.110.245.184] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758805/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758805; rev:1;) alert tcp $HOME_NET any -> [124.156.177.254] 12301 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758806/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758806; rev:1;) alert tcp $HOME_NET any -> [124.156.177.254] 12428 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758803/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758803; rev:1;) alert tcp $HOME_NET any -> [44.194.210.145] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758804/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758804; rev:1;) alert tcp $HOME_NET any -> [165.227.167.230] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758802/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758802; rev:1;) alert tcp $HOME_NET any -> [64.64.252.47] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758801/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758801; rev:1;) alert tcp $HOME_NET any -> [154.195.77.18] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758796/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758796; rev:1;) alert tcp $HOME_NET any -> [83.229.123.221] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758797/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758797; rev:1;) alert tcp $HOME_NET any -> [45.64.52.231] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758795/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758795; rev:1;) alert tcp $HOME_NET any -> [45.76.247.252] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758793/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758793; rev:1;) alert tcp $HOME_NET any -> [195.226.92.128] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758789/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758789; rev:1;) alert tcp $HOME_NET any -> [157.151.245.77] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758790/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758790; rev:1;) alert tcp $HOME_NET any -> [111.170.18.27] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758787/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758787; rev:1;) alert tcp $HOME_NET any -> [103.69.128.98] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758788/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758788; rev:1;) alert tcp $HOME_NET any -> [178.128.222.137] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758784/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758784; rev:1;) alert tcp $HOME_NET any -> [146.190.161.65] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758785/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758785; rev:1;) alert tcp $HOME_NET any -> [35.231.119.13] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758786/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758786; rev:1;) alert tcp $HOME_NET any -> [213.136.80.73] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758783/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758783; rev:1;) alert tcp $HOME_NET any -> [213.155.23.252] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758781/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758781; rev:1;) alert tcp $HOME_NET any -> [185.207.64.69] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758782/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758782; rev:1;) alert tcp $HOME_NET any -> [107.172.78.171] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758779/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758779; rev:1;) alert tcp $HOME_NET any -> [65.109.213.34] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758780/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758780; rev:1;) alert tcp $HOME_NET any -> [46.225.116.110] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758777/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758777; rev:1;) alert tcp $HOME_NET any -> [157.20.182.49] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758778/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758778; rev:1;) alert tcp $HOME_NET any -> [95.179.249.144] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758776/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758776; rev:1;) alert tcp $HOME_NET any -> [82.153.138.43] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758774/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758774; rev:1;) alert tcp $HOME_NET any -> [147.182.143.122] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758775/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758775; rev:1;) alert tcp $HOME_NET any -> [157.173.126.33] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758773/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758773; rev:1;) alert tcp $HOME_NET any -> [104.233.177.14] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758772/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758772; rev:1;) alert tcp $HOME_NET any -> [206.237.13.242] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758771/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758771; rev:1;) alert tcp $HOME_NET any -> [47.98.253.102] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758770/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758770; rev:1;) alert tcp $HOME_NET any -> [23.95.72.34] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758768/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758768; rev:1;) alert tcp $HOME_NET any -> [54.247.74.245] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758769/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758769; rev:1;) alert tcp $HOME_NET any -> [159.203.171.83] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758767/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758767; rev:1;) alert tcp $HOME_NET any -> [101.200.193.211] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758766/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758766; rev:1;) alert tcp $HOME_NET any -> [67.70.241.201] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758765/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758765; rev:1;) alert tcp $HOME_NET any -> [124.223.33.239] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758764/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758764; rev:1;) alert tcp $HOME_NET any -> [82.202.199.26] 3001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758762/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758762; rev:1;) alert tcp $HOME_NET any -> [103.44.90.109] 53481 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758763/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758763; rev:1;) alert tcp $HOME_NET any -> [23.235.177.8] 53481 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758761/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r7qk9.ecuadoriangas.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758750/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758750; rev:1;) alert tcp $HOME_NET any -> [192.252.187.77] 443 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758743/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91758743; rev:1;) alert tcp $HOME_NET any -> [192.252.187.77] 8443 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758742/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"msonfire.website"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758733/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"msonfire.website"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758734/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"grassrootscontent.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758736/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"grassrootscontent.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758737/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"richardgillassociates.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758738/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"richardgillassociates.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758739/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758739; rev:1;) alert tcp $HOME_NET any -> [45.144.52.165] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 99%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758740/; target:src_ip; metadata: confidence_level 99, first_seen 2026_03_05; classtype:trojan-activity; sid:91758740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 99%)"; dns_query; content:"nuvixof.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758741/; target:src_ip; metadata: confidence_level 99, first_seen 2026_03_05; classtype:trojan-activity; sid:91758741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2/fre.php"; depth:10; nocase; http.host; content:"motupalo.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758735/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"westindiesrum.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758696/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"westindiesrum.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758698/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"caribbeansquash.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758700/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"caribbeansquash.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758702/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"realmoney999.uno"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758703/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"realmoney999.uno"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758704/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"reddycolour.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758705/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"reddycolour.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758706/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ukprintingcompany.co.uk"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758707/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ukprintingcompany.co.uk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758708/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rxwinone.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758709/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rxwinone.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758710/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"upnewskill.asia"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758712/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"upnewskill.asia"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758713/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pixelinks.co.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758716/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pixelinks.co.uk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758717/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ukflagcompany.co.uk"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758718/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ukflagcompany.co.uk"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758719/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"92dadu1.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758721/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"92dadu1.online"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758722/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mkicau.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758723/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"caribairways.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758726/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mkicau.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758725/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"caribairways.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758727/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"offercentralm.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758729/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"offercentralm.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758728/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"offercentralre.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758730/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"offercentralre.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758731/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758731; rev:1;) alert tcp $HOME_NET any -> [198.211.115.123] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758640/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"carkeyswithease.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758643/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_05; classtype:trojan-activity; sid:91758643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rabbit-net.rabbitfarm.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758732/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"miguelaramirez.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758724/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"amrlb0h2.backorbit.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758720/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"o2ob8ud5.backorbit.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758715/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"farm03.rabbitfarm.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758714/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mightyplumbingco.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758711/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cjzsujzp.expresslabina.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758701/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"868mbybq.expresslabina.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758699/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f2kpaub7.bullymarvel.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758697/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rabbit-v1.rabbitfarm.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758695/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m3it2tb0.bullymarvel.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758694/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bkaxd9y8.bullymarvel.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758693/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758693; rev:1;) alert tcp $HOME_NET any -> [74.0.32.69] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758689/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758689; rev:1;) alert tcp $HOME_NET any -> [151.247.22.111] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758690/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758690; rev:1;) alert tcp $HOME_NET any -> [74.0.32.116] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758691/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758691; rev:1;) alert tcp $HOME_NET any -> [151.247.193.50] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758692/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gad.myserver.com.bd"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758685/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gad.cricket-physio.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758686/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wwe.myserver.com.bd"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758687/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wwe.cricket-physio.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758688/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wwe.cricket-physio.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758682/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gad.myserver.com.bd"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758683/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gad.cricket-physio.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758684/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.69"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758678/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.116"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758679/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"151.247.193.50"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758680/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wwe.myserver.com.bd"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758681/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758681; rev:1;) alert tcp $HOME_NET any -> [178.73.192.10] 7044 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758677/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"farm-run.rabbitfarm.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758676/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/five/five/fre.php"; depth:27; nocase; http.host; content:"electrico.co.zw"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758675/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91758675; rev:1;) alert tcp $HOME_NET any -> [94.154.32.40] 8383 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758674/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91758674; rev:1;) alert tcp $HOME_NET any -> [103.177.46.102] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758673/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758673; rev:1;) alert tcp $HOME_NET any -> [89.28.236.32] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758672/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758672; rev:1;) alert tcp $HOME_NET any -> [35.153.4.218] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758671/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758671; rev:1;) alert tcp $HOME_NET any -> [79.110.49.146] 8000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758670/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758670; rev:1;) alert tcp $HOME_NET any -> [45.137.205.36] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758669/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758669; rev:1;) alert tcp $HOME_NET any -> [45.137.205.36] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758668/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758668; rev:1;) alert tcp $HOME_NET any -> [161.97.95.77] 3384 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758667/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758667; rev:1;) alert tcp $HOME_NET any -> [23.235.177.4] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758666/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758666; rev:1;) alert tcp $HOME_NET any -> [185.213.60.40] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758665/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758665; rev:1;) alert tcp $HOME_NET any -> [156.234.252.199] 48713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758664/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"talk-sync.grimasdiscuss.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758663/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758663; rev:1;) alert tcp $HOME_NET any -> [46.149.73.57] 443 (msg:"ThreatFox Amatera botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758662/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91758662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gb31welb.bullymarvel.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758661/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758661; rev:1;) alert tcp $HOME_NET any -> [47.118.19.56] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758660/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758660; rev:1;) alert tcp $HOME_NET any -> [207.56.16.8] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758659/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758659; rev:1;) alert tcp $HOME_NET any -> [52.59.254.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758658/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"enzab92d.bullymarvel.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758657/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"grim06.grimasdiscuss.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758656/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"disc-v9.grimasdiscuss.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758655/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"micled.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758654/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"grim-vault.grimasdiscuss.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758653/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758653; rev:1;) alert tcp $HOME_NET any -> [193.221.201.134] 443 (msg:"ThreatFox Amatera botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758652/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91758652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"down-path.falldown.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758651/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"michalispavlidis-lab.eu"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758650/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yardvalue.cfd"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758649/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bre93qhl.bullymarvel.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758648/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fall05.falldown.in.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758647/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"michaelsolanke.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758646/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5h8l4tqq.bullymarvel.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758645/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758645; rev:1;) alert tcp $HOME_NET any -> [89.124.80.216] 443 (msg:"ThreatFox Amatera botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758644/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91758644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"down-v8.falldown.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758642/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fall-node.falldown.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758641/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758641; rev:1;) alert tcp $HOME_NET any -> [91.124.98.29] 2626 (msg:"ThreatFox DarkMe botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758639/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_05; classtype:trojan-activity; sid:91758639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yelpmo.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758290/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vipflorence.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758294/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/small.bat"; depth:10; nocase; http.host; content:"5.175.234.213"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758469/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.txt"; depth:9; nocase; http.host; content:"5.175.234.213"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758470/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"stylenemesiis.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758503/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"stylecanoonon.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758505/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ofaskfaksfmtjmka.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758510/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"stylewowcafwe.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758504/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_05; classtype:trojan-activity; sid:91758504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkaksf.js"; depth:10; nocase; http.host; content:"ofaskfaksfmtjmka.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758511/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r.gre"; depth:6; nocase; http.host; content:"193.111.117.21"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758513/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"plixoworks.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758514/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"plixolabsaf.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758517/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teams.php"; depth:10; nocase; http.host; content:"shallebstravelagency.co.ke"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758519/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mvjfkakfkfkaiai.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758520/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwttt.js"; depth:9; nocase; http.host; content:"mvjfkakfkfkaiai.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758521/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mkama.php"; depth:10; nocase; http.host; content:"www.fitmoversuae.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758522/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f.gre"; depth:6; nocase; http.host; content:"144.31.207.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758523/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zevoroz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758524/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shorteverydaynnn.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758525/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oaoasff.js"; depth:11; nocase; http.host; content:"ofofoalalaladjrkrka.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758526/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oakf"; depth:5; nocase; http.host; content:"shorteverydaynnn.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758527/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ama.php"; depth:8; nocase; http.host; content:"primetimehost.me"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758529/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cam4fr.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758530/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4a5g.js"; depth:8; nocase; http.host; content:"cam4fr.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758531/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758531; rev:1;) alert tcp $HOME_NET any -> [84.32.98.123] 4330 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758515/; target:src_ip; metadata: confidence_level 80, first_seen 2026_03_05; classtype:trojan-activity; sid:91758515; rev:1;) alert tcp $HOME_NET any -> [84.32.98.123] 44321 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758516/; target:src_ip; metadata: confidence_level 80, first_seen 2026_03_05; classtype:trojan-activity; sid:91758516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.grovecityhvacservices.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758532/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fasrbaundidnbb.vg"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758535/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flfa"; depth:5; nocase; http.host; content:"fasrbaundidnbb.vg"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758536/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdnwoopress.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758564/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verify"; depth:7; nocase; http.host; content:"cdnwoopress.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758565/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"palanusantara.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758566/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/challenge/cf"; depth:13; nocase; http.host; content:"palanusantara.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758567/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get_payload"; depth:16; nocase; http.host; content:"cdnwoopress.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758568/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/beacon"; depth:11; nocase; http.host; content:"cdnwoopress.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758569/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mrinmay.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758572/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"subsgod.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758573/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"traderslinkfx.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758574/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"traderslinkfx.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758575/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"subsgod.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758576/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mrinmay.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758577/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nobovcs.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758578/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/group.html"; depth:11; nocase; http.host; content:"3v5w1km5gv.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758438/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"213.5.130.197"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1758456/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"213.5.130.154"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1758457/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"213.5.130.200"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1758458/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"213.5.130.131"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1758459/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"213.5.130.179"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1758460/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"213.5.130.189"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1758461/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nobovcs.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758579/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758579; rev:1;) alert tcp $HOME_NET any -> [161.35.171.177] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758603/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758603; rev:1;) alert tcp $HOME_NET any -> [167.172.205.188] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758604/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758604; rev:1;) alert tcp $HOME_NET any -> [45.55.77.196] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758617/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758617; rev:1;) alert tcp $HOME_NET any -> [137.184.111.42] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758618/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758618; rev:1;) alert tcp $HOME_NET any -> [159.89.46.211] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758620/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758620; rev:1;) alert tcp $HOME_NET any -> [45.55.77.196] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758621/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758621; rev:1;) alert tcp $HOME_NET any -> [64.227.37.151] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758624/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758624; rev:1;) alert tcp $HOME_NET any -> [142.93.141.170] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758637/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"unknowntool.shop"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1758638/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.212.166.169"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1758636/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"plastic-mitten.sbs"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758634/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"hallowed-noisy.sbs"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758635/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"wrench-creter.sbs"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758632/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"looky-marked.sbs"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758633/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"slam-whipp.sbs"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758631/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"copper-replace.sbs"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758629/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"record-envyp.sbs"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758630/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"savvy-steereo.sbs"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758628/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"preside-comforter.sbs"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758627/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"support.avs4soft.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1758625/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"support.office365excel.xyz"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1758626/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mi.ngarengan.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758623/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mhtp.in"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758622/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mgfurniture.com.my"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758619/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"meyercenter.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758616/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758616; rev:1;) alert tcp $HOME_NET any -> [188.214.144.158] 8089 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758615/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758615; rev:1;) alert tcp $HOME_NET any -> [56.155.89.183] 53429 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758614/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758614; rev:1;) alert tcp $HOME_NET any -> [199.101.111.225] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758613/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758613; rev:1;) alert tcp $HOME_NET any -> [15.237.217.232] 5986 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758612/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758612; rev:1;) alert tcp $HOME_NET any -> [176.65.132.236] 5555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758611/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758611; rev:1;) alert tcp $HOME_NET any -> [191.93.118.190] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758610/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758610; rev:1;) alert tcp $HOME_NET any -> [198.58.123.244] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758609/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758609; rev:1;) alert tcp $HOME_NET any -> [45.81.113.41] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758608/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758608; rev:1;) alert tcp $HOME_NET any -> [147.93.176.167] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758607/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758607; rev:1;) alert tcp $HOME_NET any -> [103.106.189.91] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758606/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mewt.ly"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758605/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"metodo60up.com.br"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758602/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nvd9pk2u4h.localto.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758601/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"niggerbigertrigger-40627.portmap.host"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758600/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758600; rev:1;) alert tcp $HOME_NET any -> [94.156.115.95] 1337 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758599/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"metalurgicatigasco.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758598/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"metallbau24.de"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758597/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mestresdacomposicao.com.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758596/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mastermovers.ae"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758594/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"merceriarosa.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758593/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758593; rev:1;) alert tcp $HOME_NET any -> [46.153.215.185] 1337 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758592/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hervw2.fpcsorp.ca"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758591/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login-ss.fpcsorp.ca"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758589/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mejeff.fpcsorp.ca"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758590/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758590; rev:1;) alert tcp $HOME_NET any -> [91.219.238.189] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758588/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758588; rev:1;) alert tcp $HOME_NET any -> [139.224.135.193] 5555 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758587/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758587; rev:1;) alert tcp $HOME_NET any -> [141.164.62.120] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758586/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758586; rev:1;) alert tcp $HOME_NET any -> [195.24.237.45] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758585/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758585; rev:1;) alert tcp $HOME_NET any -> [154.91.4.3] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758584/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758584; rev:1;) alert tcp $HOME_NET any -> [23.95.117.227] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758583/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758583; rev:1;) alert tcp $HOME_NET any -> [45.83.31.190] 1000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758582/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758582; rev:1;) alert tcp $HOME_NET any -> [172.245.246.80] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758581/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758581; rev:1;) alert tcp $HOME_NET any -> [47.105.100.60] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758580/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_05; classtype:trojan-activity; sid:91758580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mengchih.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758571/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mendarentacar.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758570/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lynx1test111-35010.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758563/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ustaadgull-32330.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758562/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obitrust150.ydns.eu"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758561/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buikes2002.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758560/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758560; rev:1;) alert tcp $HOME_NET any -> [5.101.82.191] 8192 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758559/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"special1.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758558/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758558; rev:1;) alert tcp $HOME_NET any -> [181.16.18.59] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758555/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758555; rev:1;) alert tcp $HOME_NET any -> [181.16.18.59] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758556/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758556; rev:1;) alert tcp $HOME_NET any -> [181.16.18.59] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758557/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.identitypoliticspod.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758546/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.identitypoliticspod.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758547/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.identitypoliticspod.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758548/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.identitypoliticspod.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758549/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.identitypoliticspod.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758550/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.identitypoliticspod.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758551/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.identitypoliticspod.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758552/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.identitypoliticspod.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758553/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.identitypoliticspod.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758554/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.xoilac86kc.tv"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758537/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.xoilac86kc.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758538/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.xoilac86kc.tv"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758539/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.xoilac86kc.tv"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758540/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.xoilac86kc.tv"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758541/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.xoilac86kc.tv"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758542/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.xoilac86kc.tv"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758543/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.xoilac86kc.tv"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758544/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.xoilac86kc.tv"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758545/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"members.environmenthq.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758534/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"melturbo.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758533/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"melcher.crenn.ch"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758528/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"atroph-hub.atrophlearn.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758518/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"out-flow.platypusout.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758512/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"plat04.platypusout.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758509/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"out-v5.platypusout.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758508/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"plat-gate.platypusout.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758507/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"phys-sync.dysenteryphysics.in.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758506/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"physics09.dysenteryphysics.in.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758502/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dys-v4.dysenteryphysics.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758501/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758501; rev:1;) alert tcp $HOME_NET any -> [3.15.198.226] 250 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758499/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758499; rev:1;) alert tcp $HOME_NET any -> [196.75.30.229] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758500/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758500; rev:1;) alert tcp $HOME_NET any -> [23.177.185.166] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758498/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758498; rev:1;) alert tcp $HOME_NET any -> [128.90.108.210] 9999 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758497/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758497; rev:1;) alert tcp $HOME_NET any -> [89.146.178.151] 61184 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758496/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758496; rev:1;) alert tcp $HOME_NET any -> [89.146.178.151] 15114 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758492/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758492; rev:1;) alert tcp $HOME_NET any -> [89.146.178.151] 19999 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758493/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758493; rev:1;) alert tcp $HOME_NET any -> [89.146.178.151] 30642 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758494/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758494; rev:1;) alert tcp $HOME_NET any -> [89.146.178.151] 36320 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758495/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758495; rev:1;) alert tcp $HOME_NET any -> [89.146.178.151] 16992 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758490/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758490; rev:1;) alert tcp $HOME_NET any -> [89.146.178.151] 8883 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758491/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758491; rev:1;) alert tcp $HOME_NET any -> [89.146.178.151] 13000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758486/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758486; rev:1;) alert tcp $HOME_NET any -> [89.146.178.151] 32183 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758487/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758487; rev:1;) alert tcp $HOME_NET any -> [89.146.178.151] 47706 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758488/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758488; rev:1;) alert tcp $HOME_NET any -> [89.146.178.151] 5060 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758489/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758489; rev:1;) alert tcp $HOME_NET any -> [89.146.178.151] 2404 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758484/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758484; rev:1;) alert tcp $HOME_NET any -> [89.146.178.151] 12831 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758485/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758485; rev:1;) alert tcp $HOME_NET any -> [63.176.144.33] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758483/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758483; rev:1;) alert tcp $HOME_NET any -> [4.228.217.99] 4449 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758482/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758482; rev:1;) alert tcp $HOME_NET any -> [194.59.31.37] 6699 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758480/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758480; rev:1;) alert tcp $HOME_NET any -> [96.44.159.137] 14645 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758481/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758481; rev:1;) alert tcp $HOME_NET any -> [198.23.175.48] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758478/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758478; rev:1;) alert tcp $HOME_NET any -> [91.92.240.29] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758479/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758479; rev:1;) alert tcp $HOME_NET any -> [103.39.16.237] 7936 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758477/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"phys-unit.dysenteryphysics.in.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758476/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"medvis.ro"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758475/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758475; rev:1;) alert tcp $HOME_NET any -> [185.38.142.158] 5006 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758474/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"past01.pastorsorny.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758473/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"meetings.niagads.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758472/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sorny-v3.pastorsorny.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758471/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"past-core.pastorsorny.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758468/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"long-run.longtime.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758467/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"go88vn.uk.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758465/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vcq.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758466/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chrono07.longtime.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758464/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"time-v2.longtime.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758463/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"long-site.longtime.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758462/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"medicompu.mx"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758455/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"medicalnutri.com.br"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758454/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sync-base.multilsacred.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758453/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"multi03.multilsacred.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758452/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zhanhu.ydns.eu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758450/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yinhukong.ydns.eu"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758451/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"k4mtpn.ru.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758449/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758449; rev:1;) alert tcp $HOME_NET any -> [193.221.201.76] 1111 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758448/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sacred-v1.multilsacred.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758447/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mediaro-demo.de"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758446/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"multi-node.multilsacred.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758445/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wolf01.wolfhaven.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758444/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wild-sync.wolfhaven.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758443/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"media.math4teaching.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758442/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"haven-v9.wolfhaven.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758441/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wolf-run.wolfhaven.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758440/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"star06.starhaven.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758439/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"media-design-studio.de"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758381/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"astro-net.starhaven.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758380/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"haven-v8.starhaven.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758300/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"star-gate.starhaven.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758299/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iron08.ironhaven.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758298/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"metal-sync.ironhaven.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758297/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"haven-v7.ironhaven.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758296/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iron-vault.ironhaven.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758295/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oak05.oakshaven.in.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758293/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"meblobuk.com.pl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758292/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wood-net.oakshaven.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758291/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/af8kjovfx0xugw-dbyfqkgkrdk7lzvgopl773kpxek4txu2s2pl-smjachw7n_ht4bwik3lir5zbedjtxa8vch6li4dh3zdhp6rua66zfx_nnh7fml8z7exbk70-jdoagbfsyahstfwci0goegklqr9t8oz5ij26chexxzif1o4mbc0g8mulmizcbp7_"; depth:189; nocase; http.host; content:"35.231.116.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758287/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"haven-v6.oakshaven.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758289/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/664f54e6.php"; depth:13; nocase; http.host; content:"hulr3lyand.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758288/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oak-path.oakshaven.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758286/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lake09.lakehaven.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758285/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aqua-sync.lakehaven.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758284/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mdtstudios.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758283/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758283; rev:1;) alert tcp $HOME_NET any -> [23.177.185.166] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758282/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758282; rev:1;) alert tcp $HOME_NET any -> [154.38.163.220] 8090 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758281/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758281; rev:1;) alert tcp $HOME_NET any -> [88.214.25.52] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758280/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758280; rev:1;) alert tcp $HOME_NET any -> [91.224.92.173] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758279/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758279; rev:1;) alert tcp $HOME_NET any -> [134.122.152.210] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758278/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758278; rev:1;) alert tcp $HOME_NET any -> [198.199.87.182] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758277/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758277; rev:1;) alert tcp $HOME_NET any -> [23.95.117.227] 5000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758276/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758276; rev:1;) alert tcp $HOME_NET any -> [5.101.86.54] 2428 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758275/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758275; rev:1;) alert tcp $HOME_NET any -> [198.23.175.47] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758274/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758274; rev:1;) alert tcp $HOME_NET any -> [63.177.103.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758273/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"haven-v5.lakehaven.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758272/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qcncet2rpvs3t5lnvuzzth3vbro46snkylgyqx3igdnb5bv324nzojqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758259/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"to3odzfolkvhkj3jf5oo3qq5hvdycy5n5n6bi564yrxdgavnwv5znjqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758260/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x7ghos27bltjtfombanecwgynfk4jw53ewkhzfnb5f27qmuquxwzhyad.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758261/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epnsv5xaxnrks5yliq5wlthbmdlidkjddon3rx5llftx4ueiwfzdx6ad.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758262/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b26gczu5dbhaovnkp5c3ef3vdphqxj64z4nwzvfdabplbptgp56gsdyd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758263/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"44ga7x7kicz2bbxaohdfw5iw6j7dgg4kyctwtf4kh6gsxifbah4jv4ad.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758264/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"q37z64a4j7455p6zcdxfpqrrgctmd46vaz2uejsqgxbmrcjbd4w3fqid.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758265/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ccpgp25zc37xccprbjr46iurz5c5awhqxltm6xn7nef7dxpsyegwncid.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758266/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pptiuraybrwacfl5v2qmzknenqxwt5eojtbh5cxxejaq3oo4bidkv7id.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758267/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wqse4qzvrtbg5o3evt2eexovcilxpvlsopwvpu7toimx64njqekzuqid.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758268/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eddo6w66t6t4kribwjbxvtehtsny4g6j2a5gj6pzivivcu5nywhegtqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758269/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ejqsesb5cgero35i7ujerpuslbokhuwl3dqgsrg44bzamamccf7fw3ad.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758270/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qvqoau7353xe7wm3z6fzxn33q63ck7cys56wsbx25c22fnxyu4fzhnyd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758271/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dhnsppqjaaa22lsqxl2tfhji4ca43743kubltnodvsft3hkvai77p6ad.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758252/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qs6wu56n2adj7qrjg25dhcux2nislvjouffpzldj23e4y72akoid.onion"; depth:58; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758253/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"woed7o3il2jrxzczupntvhutc2ogs5otn6ekgoya6qo33qcuhomkhwad.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758254/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"27kmvzlfn3dpb6s4zq3qknqpcbrk5qzhwmg5awhjmu3m2okgpd4pgrid.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758255/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsz2oqrfnyik3vtcx5rzubfuam3n5kapvkkagqr7yzxdxvdhehjxghqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758256/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s5v5hvtk3oyxg3m6afgxeuwlasqku3adeosv7kwwjfvhf22vqiwotrqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758257/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igf7rlhjtvitxh72suhb55hqic67pvphbqikkrqqilzj3drhirglziyd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758258/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lake-site.lakehaven.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758251/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mdom5assessoria.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758250/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wind02.windhaven.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758249/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mdnabeel.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758248/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"air-flow.windhaven.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758247/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"haven-v4.windhaven.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758246/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h9k2x7.highexplos.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758180/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blastforge.highexplos.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758181/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gold-hub.goldhaven.in.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758224/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"haven-v2.goldhaven.in.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758225/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aurum-net.goldhaven.in.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758226/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dark01.darkhaven.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758230/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"disk.grovecitykitchenremodeling.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758241/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wind-unit.windhaven.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758245/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stone04.stonehaven.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758244/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mdbillingservicespr.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758243/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rock-net.stonehaven.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758242/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"haven-v3.stonehaven.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758240/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"valid-witnesses.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758239/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stone-base.stonehaven.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758238/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bombasyic.za.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758237/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ninja197-47831.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758236/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cm88vn1.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758233/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gadgethub.gb.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758234/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooxlat.sa.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758235/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"museum72nasekina.ru.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758231/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pass.ru.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758232/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"void-sync.darkhaven.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758229/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"haven-x.darkhaven.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758228/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dark-core.darkhaven.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758227/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blue03.bluehaven.in.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758223/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gold07.goldhaven.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758222/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aurum-net.goldhaven.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758221/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"haven-v2.goldhaven.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758220/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sky-sync.bluehaven.in.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758219/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"haven-v1.bluehaven.in.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758218/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blue-node.bluehaven.in.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758217/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"h1gh-xpl0r.highexplos.in.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758216/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blastforge.highexplos.in.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758215/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"h9k2x7.highexplos.in.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758214/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"f1at-rnold.flatdon.in.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758213/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"stoneplain.flatdon.in.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758212/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"z8t3p.flatdon.in.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758211/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"agr4-vvave.agrahurry.in.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758210/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"fastgrain.agrahurry.in.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758209/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"q4m8v1r.agrahurry.in.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758208/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"g0at-rnark.goatbreed.in.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758207/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hillpasture.goatbreed.in.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758206/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gold-hub.goldhaven.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758205/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"a7x9k2.goatbreed.in.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758204/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"doth09.caliphdotham.in.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758203/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cal-v1.caliphdotham.in.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758202/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"doth-sync.caliphdotham.in.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758201/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cal-node.caliphdotham.in.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758200/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"susp03.suspendvector.in.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758199/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vec-v1.suspendvector.in.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758198/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m.saint-inc.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758197/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vec-core.suspendvector.in.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758196/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rot04.croprotation.in.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758195/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crop-v2.croprotation.in.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758194/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rot-node.croprotation.in.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758193/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crop-sync.croprotation.in.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758192/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"insur02.dachshreinsur.in.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758191/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"shre-v1.dachshreinsur.in.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758190/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blue03.bluehaven.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758189/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"insur-net.dachshreinsur.in.net"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758188/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dach-core.dachshreinsur.in.net"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758187/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sky-sync.bluehaven.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758186/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"haven-v1.bluehaven.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758185/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758185; rev:1;) alert tcp $HOME_NET any -> [109.209.71.146] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758184/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blue-node.bluehaven.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758183/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h1gh-xpl0r.highexplos.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758182/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mcot.thai.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758179/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758179; rev:1;) alert tcp $HOME_NET any -> [91.124.98.29] 2525 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758178/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_04; classtype:trojan-activity; sid:91758178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8a2yizw9.earedteach.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758177/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v0ad7mre.earedteach.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758176/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"inheritance-claims-portal-3246744.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758126/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_04; classtype:trojan-activity; sid:91758126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f1at-rnold.flatdon.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758175/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mclmftcare.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758174/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758174; rev:1;) alert tcp $HOME_NET any -> [192.252.181.62] 447 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758172/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758172; rev:1;) alert tcp $HOME_NET any -> [192.252.181.62] 448 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758173/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758173; rev:1;) alert tcp $HOME_NET any -> [3.36.56.88] 9201 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758171/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758171; rev:1;) alert tcp $HOME_NET any -> [3.36.56.88] 5901 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758170/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758170; rev:1;) alert tcp $HOME_NET any -> [217.216.94.50] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758169/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758169; rev:1;) alert tcp $HOME_NET any -> [15.216.98.177] 1913 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758168/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758168; rev:1;) alert tcp $HOME_NET any -> [15.216.98.177] 29463 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758167/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758167; rev:1;) alert tcp $HOME_NET any -> [15.216.98.177] 16063 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758166/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758166; rev:1;) alert tcp $HOME_NET any -> [15.216.98.177] 1963 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758165/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758165; rev:1;) alert tcp $HOME_NET any -> [185.163.204.214] 2222 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758164/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758164; rev:1;) alert tcp $HOME_NET any -> [45.55.182.145] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758163/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758163; rev:1;) alert tcp $HOME_NET any -> [144.124.229.131] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758162/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758162; rev:1;) alert tcp $HOME_NET any -> [185.241.208.169] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758161/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758161; rev:1;) alert tcp $HOME_NET any -> [186.169.63.84] 5061 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758160/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758160; rev:1;) alert tcp $HOME_NET any -> [147.79.20.165] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758159/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758159; rev:1;) alert tcp $HOME_NET any -> [156.234.56.50] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758158/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758158; rev:1;) alert tcp $HOME_NET any -> [156.234.56.62] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758157/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758157; rev:1;) alert tcp $HOME_NET any -> [156.234.56.59] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758155/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758155; rev:1;) alert tcp $HOME_NET any -> [156.234.56.56] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758156/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758156; rev:1;) alert tcp $HOME_NET any -> [156.234.56.47] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758154/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758154; rev:1;) alert tcp $HOME_NET any -> [156.234.56.41] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758153/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758153; rev:1;) alert tcp $HOME_NET any -> [156.234.56.39] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758152/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758152; rev:1;) alert tcp $HOME_NET any -> [156.234.56.42] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758151/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758151; rev:1;) alert tcp $HOME_NET any -> [156.234.56.53] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758150/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758150; rev:1;) alert tcp $HOME_NET any -> [156.234.56.46] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758149/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758149; rev:1;) alert tcp $HOME_NET any -> [156.234.56.54] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758147/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758147; rev:1;) alert tcp $HOME_NET any -> [156.234.56.60] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758148/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758148; rev:1;) alert tcp $HOME_NET any -> [156.234.56.35] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758146/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758146; rev:1;) alert tcp $HOME_NET any -> [156.234.56.48] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758145/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758145; rev:1;) alert tcp $HOME_NET any -> [156.234.56.61] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758144/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758144; rev:1;) alert tcp $HOME_NET any -> [156.234.56.45] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758143/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758143; rev:1;) alert tcp $HOME_NET any -> [156.234.56.44] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758141/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758141; rev:1;) alert tcp $HOME_NET any -> [156.234.56.37] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758142/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758142; rev:1;) alert tcp $HOME_NET any -> [156.234.56.40] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758140/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758140; rev:1;) alert tcp $HOME_NET any -> [156.234.56.38] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758139/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758139; rev:1;) alert tcp $HOME_NET any -> [156.234.56.36] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758137/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758137; rev:1;) alert tcp $HOME_NET any -> [156.234.56.58] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758138/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758138; rev:1;) alert tcp $HOME_NET any -> [156.234.56.52] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758134/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unitedclassifiedsourcinginc.duckdns.org"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758135/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758135; rev:1;) alert tcp $HOME_NET any -> [84.181.175.173] 4444 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758136/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758136; rev:1;) alert tcp $HOME_NET any -> [156.234.56.55] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758133/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758133; rev:1;) alert tcp $HOME_NET any -> [156.234.56.57] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758132/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758132; rev:1;) alert tcp $HOME_NET any -> [156.234.56.51] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758131/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758131; rev:1;) alert tcp $HOME_NET any -> [156.234.56.33] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758130/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758130; rev:1;) alert tcp $HOME_NET any -> [156.234.56.43] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758129/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758129; rev:1;) alert tcp $HOME_NET any -> [156.234.56.49] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758128/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mcci.ly"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758127/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stoneplain.flatdon.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758125/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z8t3p.flatdon.in.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758124/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mathiashawes.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758123/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shieshan.ydns.eu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758122/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chu.myserver.com.bd"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758120/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"che.cricket-physio.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758121/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"chu.myserver.com.bd"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758118/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"che.cricket-physio.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758119/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hide-cruise-raises-phases.trycloudflare.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758117/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_04; classtype:trojan-activity; sid:91758117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.html"; depth:11; nocase; http.host; content:"progress-in-process-x2.t3.storage.dev"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758037/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_04; classtype:trojan-activity; sid:91758037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"akaras.ch"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758045/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_04; classtype:trojan-activity; sid:91758045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agr4-vvave.agrahurry.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758116/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maximcolors.com.sg"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758115/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/06ee2c94.php"; depth:13; nocase; http.host; content:"cc812496.tw1.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758114/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maxfitusa.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758113/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fastgrain.agrahurry.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758112/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maviesurinternet.fr"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758111/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yamsmell.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758110/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758110; rev:1;) alert tcp $HOME_NET any -> [103.106.189.91] 5080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758109/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758109; rev:1;) alert tcp $HOME_NET any -> [43.128.54.51] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758108/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q4m8v1r.agrahurry.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758107/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758107; rev:1;) alert tcp $HOME_NET any -> [46.149.73.219] 443 (msg:"ThreatFox Amatera botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758106/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_04; classtype:trojan-activity; sid:91758106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g0at-rnark.goatbreed.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758105/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hillpasture.goatbreed.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758104/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"funsunmexicobizz.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758103/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758103; rev:1;) alert tcp $HOME_NET any -> [108.93.243.41] 8796 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758101/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758101; rev:1;) alert tcp $HOME_NET any -> [148.113.165.11] 2333 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758102/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc"; depth:3; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758100/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"elecviews85.dynv6.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758098/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"101.36.114.231"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1758099/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"27.102.137.140"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1758096/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mhjjh.dynv6.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758097/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.196.11.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758095/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/login.php"; depth:16; nocase; http.host; content:"verification-cloud.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758094/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/login.php"; depth:16; nocase; http.host; content:"cloud-verificate.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758093/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/login.php"; depth:16; nocase; http.host; content:"verificate-cloudflare.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758092/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eae4257f605c417c.php"; depth:21; nocase; http.host; content:"193.24.123.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758091/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/536fde2d792c4b27.php"; depth:21; nocase; http.host; content:"176.98.185.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758090/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/51d19cd02aba4bdf.php"; depth:21; nocase; http.host; content:"213.209.150.27"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758089/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4e42aa25c624454b.php"; depth:21; nocase; http.host; content:"176.65.141.212"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758088/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5c7528f9ea08459d.php"; depth:21; nocase; http.host; content:"185.208.156.150"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758086/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d302466ba3884d8c.php"; depth:21; nocase; http.host; content:"77.220.213.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758087/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/001131370c794afc.php"; depth:21; nocase; http.host; content:"173.208.162.243"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758085/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c8f5f829fc9a4856.php"; depth:21; nocase; http.host; content:"77.110.114.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758084/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9d649318033e475a.php"; depth:21; nocase; http.host; content:"193.233.198.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758083/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/979b792f11becc6f.php"; depth:21; nocase; http.host; content:"213.21.237.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758082/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f9c376230e95425f.php"; depth:21; nocase; http.host; content:"158.94.209.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758081/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a4b374f33e9c46af.php"; depth:21; nocase; http.host; content:"185.190.250.43"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758080/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/79f070f264484425.php"; depth:21; nocase; http.host; content:"45.147.196.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758079/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3e95b29aff3361c5.php"; depth:21; nocase; http.host; content:"178.236.252.126"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758078/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c73eed764cc59dcb.php"; depth:21; nocase; http.host; content:"23.88.106.134"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758077/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1f8e0e5505b344dd.php"; depth:21; nocase; http.host; content:"95.217.139.186"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758076/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/19347ab5734978bc.php"; depth:21; nocase; http.host; content:"91.214.78.178"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758075/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91758075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a7x9k2.goatbreed.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758073/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"doth09.caliphdotham.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758072/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758072; rev:1;) alert tcp $HOME_NET any -> [102.117.166.209] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758071/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758071; rev:1;) alert tcp $HOME_NET any -> [47.105.117.209] 83 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758070/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758070; rev:1;) alert tcp $HOME_NET any -> [91.92.243.20] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758069/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758069; rev:1;) alert tcp $HOME_NET any -> [45.74.48.77] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758068/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758068; rev:1;) alert tcp $HOME_NET any -> [173.244.42.13] 38954 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758067/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758067; rev:1;) alert tcp $HOME_NET any -> [106.13.231.65] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758066/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758066; rev:1;) alert tcp $HOME_NET any -> [130.94.32.199] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758065/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758065; rev:1;) alert tcp $HOME_NET any -> [62.72.44.7] 1200 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758064/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758064; rev:1;) alert tcp $HOME_NET any -> [74.0.32.118] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758061/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758061; rev:1;) alert tcp $HOME_NET any -> [74.0.32.28] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758062/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758062; rev:1;) alert tcp $HOME_NET any -> [77.42.49.55] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758063/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758063; rev:1;) alert tcp $HOME_NET any -> [74.0.32.119] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758058/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758058; rev:1;) alert tcp $HOME_NET any -> [74.0.32.129] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758059/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758059; rev:1;) alert tcp $HOME_NET any -> [95.217.50.22] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758060/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ths.jhotpot.com.bd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758056/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ths.cricket-physio.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758057/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.50.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758052/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.118"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758053/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.28"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758054/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"77.42.49.55"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758055/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ths.jhotpot.com.bd"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758049/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ths.cricket-physio.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758050/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.119"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758051/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cal-v1.caliphdotham.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758048/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758048; rev:1;) alert tcp $HOME_NET any -> [27.223.85.234] 50443 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758047/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"doth-sync.caliphdotham.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758046/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"olf4rjbg.hardmosolenog.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758044/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"whsacrev.hardmosolenog.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758043/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cal-node.caliphdotham.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758042/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"materasso.by"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758041/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2v42nbtg.deliainaturner.digital"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758040/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nlxzjez2.deliainaturner.digital"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758039/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"susp03.suspendvector.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758038/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mataimenes.hu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758036/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vec-v1.suspendvector.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758035/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feedback.grovecitypestcontrol.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757581/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"114.66.58.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757600/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"haven-core.redhaven.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757604/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wind-unit.windcrest.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757607/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"massimuta.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757608/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xhamster.html"; depth:14; nocase; http.host; content:"massimuta.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757609/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"soundlovlr.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757610/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xhamster.html"; depth:14; nocase; http.host; content:"soundlovlr.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757611/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/most.pdf"; depth:9; nocase; http.host; content:"103.27.156.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757612/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"crest03.windcrest.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757613/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"porora.icu"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757614/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/winsxs/../compile/../debug/../gfgm0dy/c.w"; depth:42; nocase; http.host; content:"diskcitylink.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757615/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"kko1ph.b3h5n3c0.work"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1757617/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91757617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rw3ukjj4q8l7.sayloot.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757618/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_04; classtype:trojan-activity; sid:91757618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wind-v1.windcrest.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757621/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"air-path.windcrest.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757619/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757619; rev:1;) alert tcp $HOME_NET any -> [143.110.220.20] 80 (msg:"ThreatFox KongTuke botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757623/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o"; depth:2; nocase; http.host; content:"joseph-stalin.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757626/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"joseph-stalin.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757624/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"151.247.22.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757891/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/send_photo"; depth:11; nocase; http.host; content:"144.31.25.150"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757893/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dach-core.dachshreinsur.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757982/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rot-node.croprotation.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758010/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"susp-node.suspendvector.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758025/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mcjohnnycruz.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758034/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.windowstoolsupdate4278874.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758033/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web.yg.ink"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758030/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web.vx.ink"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758031/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service.hsjyxx.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758032/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"system.yg.ink"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758028/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"system.vx.ink"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758029/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sdgfsdfhsdfsdfssfdspen5/get.php"; depth:32; nocase; http.host; content:"cjto.top"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1758027/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mastrainer.app"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758026/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"masterwall.com.br"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758024/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758024; rev:1;) alert tcp $HOME_NET any -> [154.86.18.75] 9332 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758019/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_04; classtype:trojan-activity; sid:91758019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hengxin588.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758018/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_04; classtype:trojan-activity; sid:91758018; rev:1;) alert tcp $HOME_NET any -> [154.86.18.75] 9331 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758017/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vec-core.suspendvector.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758016/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"massumifukuda.work"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758015/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rot04.croprotation.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758014/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"masseriasantabarbara.it"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758013/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"crop-v2.croprotation.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758012/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"master-ustanovshik.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758011/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758011; rev:1;) alert tcp $HOME_NET any -> [173.212.212.109] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758009/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758009; rev:1;) alert tcp $HOME_NET any -> [18.61.127.127] 10260 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758008/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758008; rev:1;) alert tcp $HOME_NET any -> [18.61.127.127] 110 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758007/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758007; rev:1;) alert tcp $HOME_NET any -> [70.153.18.45] 10002 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758006/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758006; rev:1;) alert tcp $HOME_NET any -> [193.233.113.94] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758005/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758005; rev:1;) alert tcp $HOME_NET any -> [95.90.186.240] 4444 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1758004/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9.tcp.cpolar.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758003/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jimej54602-35562.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758002/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"crop-sync.croprotation.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758001/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marshalljonesjr.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1758000/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91758000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"medical.digibuddy.in"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757999/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marks-blindajefinanciero.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757998/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757998; rev:1;) alert tcp $HOME_NET any -> [196.75.20.181] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757997/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757997; rev:1;) alert tcp $HOME_NET any -> [168.245.203.206] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757996/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757996; rev:1;) alert tcp $HOME_NET any -> [118.107.47.82] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757994/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757994; rev:1;) alert tcp $HOME_NET any -> [194.163.136.36] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757995/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757995; rev:1;) alert tcp $HOME_NET any -> [118.107.47.84] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757993/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757993; rev:1;) alert tcp $HOME_NET any -> [118.107.47.86] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757992/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757992; rev:1;) alert tcp $HOME_NET any -> [91.218.46.152] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757991/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757991; rev:1;) alert tcp $HOME_NET any -> [54.196.199.151] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757990/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757990; rev:1;) alert tcp $HOME_NET any -> [80.76.49.67] 22820 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757989/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757989; rev:1;) alert tcp $HOME_NET any -> [43.249.175.209] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757988/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757988; rev:1;) alert tcp $HOME_NET any -> [23.248.213.121] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757987/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757987; rev:1;) alert tcp $HOME_NET any -> [156.234.21.202] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757986/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757986; rev:1;) alert tcp $HOME_NET any -> [43.249.175.197] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757985/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_04; classtype:trojan-activity; sid:91757985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"insur02.dachshreinsur.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757984/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shre-v1.dachshreinsur.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757983/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marketingdigital.uno"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757981/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"insur-net.dachshreinsur.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757980/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bank-sync.savingssit.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757979/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vault08.savingssit.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757978/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nowof.ddns.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757977/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"somethinggoodfeaturesarewaitingforyoumyf.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757976/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757976; rev:1;) alert tcp $HOME_NET any -> [103.83.86.16] 16650 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757974/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757974; rev:1;) alert tcp $HOME_NET any -> [103.83.86.16] 16655 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757975/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llonger.ydns.eu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757973/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ggq.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757971/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giovannini.eu.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757972/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.cakhiaas.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757966/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.harassmentfreealbany.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757967/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.livecdnem.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757968/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.xoilac86ez.tv"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757969/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.yearofcolour.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757970/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.harassmentfreealbany.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757937/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.livecdnem.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757938/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.xoilac86ez.tv"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757939/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.yearofcolour.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757940/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.90phutiu.cc"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757941/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.cakhiaas.cc"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757942/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.harassmentfreealbany.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757943/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.livecdnem.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757944/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.xoilac86ez.tv"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757945/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.yearofcolour.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757946/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.90phutiu.cc"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757947/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.cakhiaas.cc"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757948/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.harassmentfreealbany.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757949/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.livecdnem.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757950/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.xoilac86ez.tv"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757951/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.yearofcolour.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757952/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.90phutiu.cc"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757953/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.cakhiaas.cc"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757954/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.harassmentfreealbany.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757955/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.livecdnem.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757956/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.xoilac86ez.tv"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757957/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.yearofcolour.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757958/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.90phutiu.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757959/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.cakhiaas.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757960/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.harassmentfreealbany.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757961/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.livecdnem.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757962/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.xoilac86ez.tv"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757963/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.yearofcolour.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757964/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.90phutiu.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757965/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"90phutiu.cc"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757916/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.90phutiu.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757917/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.cakhiaas.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757918/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.harassmentfreealbany.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757919/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.livecdnem.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757920/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.xoilac86ez.tv"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757921/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.yearofcolour.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757922/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.90phutiu.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757923/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.cakhiaas.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757924/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.harassmentfreealbany.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757925/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.livecdnem.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757926/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.xoilac86ez.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757927/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.yearofcolour.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757928/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.90phutiu.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757929/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.cakhiaas.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757930/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.harassmentfreealbany.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757931/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.livecdnem.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757932/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.xoilac86ez.tv"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757933/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.yearofcolour.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757934/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.90phutiu.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757935/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.cakhiaas.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757936/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"andregiordan.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757906/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.andregiordan.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757907/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.andregiordan.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757908/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.andregiordan.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757909/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.andregiordan.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757910/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.andregiordan.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757911/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.andregiordan.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757912/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.andregiordan.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757913/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.andregiordan.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757914/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.andregiordan.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757915/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mq3.za.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757905/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"broadres5.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757904/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mariodeganelli.com.br"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757903/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"odx9za7g.suffocturkey.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757902/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"68s7z85n.suffocturkey.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757901/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sit-v1.savingssit.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757900/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marianneclason.nl"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757899/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mariamahmad.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757898/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marcos.techadvisor.mx"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757897/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"save-node.savingssit.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757896/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"loyalcap.website"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757895/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"trail-x.goldtrail.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757894/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lovinglifewithcass.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757892/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gold-hub.goldtrail.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757890/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757890; rev:1;) alert tcp $HOME_NET any -> [52.38.246.211] 50805 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757889/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757889; rev:1;) alert tcp $HOME_NET any -> [46.38.156.59] 8000 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757888/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757888; rev:1;) alert tcp $HOME_NET any -> [45.148.10.212] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757887/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757887; rev:1;) alert tcp $HOME_NET any -> [185.196.11.203] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757886/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757886; rev:1;) alert tcp $HOME_NET any -> [165.101.92.66] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757885/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757885; rev:1;) alert tcp $HOME_NET any -> [117.24.4.124] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757884/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757884; rev:1;) alert tcp $HOME_NET any -> [64.227.100.207] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757883/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757883; rev:1;) alert tcp $HOME_NET any -> [138.226.247.177] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757882/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757882; rev:1;) alert tcp $HOME_NET any -> [172.111.139.127] 2405 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757881/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757881; rev:1;) alert tcp $HOME_NET any -> [109.248.151.202] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757880/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757880; rev:1;) alert tcp $HOME_NET any -> [43.240.239.235] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757879/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757879; rev:1;) alert tcp $HOME_NET any -> [43.249.175.215] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757877/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757877; rev:1;) alert tcp $HOME_NET any -> [103.39.16.231] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757878/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757878; rev:1;) alert tcp $HOME_NET any -> [27.124.30.104] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757876/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757876; rev:1;) alert tcp $HOME_NET any -> [23.248.213.114] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757875/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757875; rev:1;) alert tcp $HOME_NET any -> [103.39.16.252] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757872/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757872; rev:1;) alert tcp $HOME_NET any -> [43.249.175.202] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757873/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757873; rev:1;) alert tcp $HOME_NET any -> [43.240.239.241] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757874/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757874; rev:1;) alert tcp $HOME_NET any -> [43.240.239.234] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757868/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757868; rev:1;) alert tcp $HOME_NET any -> [103.41.7.235] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757869/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757869; rev:1;) alert tcp $HOME_NET any -> [43.249.175.203] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757870/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757870; rev:1;) alert tcp $HOME_NET any -> [103.41.7.254] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757871/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757871; rev:1;) alert tcp $HOME_NET any -> [103.41.7.247] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757866/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757866; rev:1;) alert tcp $HOME_NET any -> [43.249.172.115] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757867/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757867; rev:1;) alert tcp $HOME_NET any -> [156.234.21.196] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757863/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757863; rev:1;) alert tcp $HOME_NET any -> [103.39.16.250] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757864/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757864; rev:1;) alert tcp $HOME_NET any -> [43.240.239.253] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757865/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757865; rev:1;) alert tcp $HOME_NET any -> [43.249.172.118] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757861/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757861; rev:1;) alert tcp $HOME_NET any -> [23.248.213.113] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757862/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757862; rev:1;) alert tcp $HOME_NET any -> [23.226.58.109] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757857/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757857; rev:1;) alert tcp $HOME_NET any -> [23.226.48.198] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757858/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757858; rev:1;) alert tcp $HOME_NET any -> [156.234.21.209] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757859/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757859; rev:1;) alert tcp $HOME_NET any -> [43.240.239.229] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757860/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757860; rev:1;) alert tcp $HOME_NET any -> [23.226.48.202] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757854/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757854; rev:1;) alert tcp $HOME_NET any -> [43.249.175.214] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757855/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757855; rev:1;) alert tcp $HOME_NET any -> [103.39.16.232] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757856/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757856; rev:1;) alert tcp $HOME_NET any -> [43.249.172.120] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757852/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757852; rev:1;) alert tcp $HOME_NET any -> [23.226.48.217] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757853/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757853; rev:1;) alert tcp $HOME_NET any -> [43.240.239.230] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757849/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757849; rev:1;) alert tcp $HOME_NET any -> [156.234.21.211] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757850/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757850; rev:1;) alert tcp $HOME_NET any -> [23.248.213.123] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757851/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757851; rev:1;) alert tcp $HOME_NET any -> [43.249.175.218] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757847/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757847; rev:1;) alert tcp $HOME_NET any -> [103.39.16.235] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757848/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757848; rev:1;) alert tcp $HOME_NET any -> [103.41.7.230] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757844/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757844; rev:1;) alert tcp $HOME_NET any -> [23.226.58.113] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757845/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757845; rev:1;) alert tcp $HOME_NET any -> [43.249.172.105] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757846/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757846; rev:1;) alert tcp $HOME_NET any -> [23.226.58.101] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757842/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757842; rev:1;) alert tcp $HOME_NET any -> [103.41.7.243] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757843/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757843; rev:1;) alert tcp $HOME_NET any -> [23.226.58.125] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757839/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757839; rev:1;) alert tcp $HOME_NET any -> [23.226.58.126] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757840/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757840; rev:1;) alert tcp $HOME_NET any -> [156.234.21.217] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757841/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757841; rev:1;) alert tcp $HOME_NET any -> [103.41.7.252] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757836/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757836; rev:1;) alert tcp $HOME_NET any -> [43.249.175.194] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757837/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757837; rev:1;) alert tcp $HOME_NET any -> [23.226.48.199] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757838/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757838; rev:1;) alert tcp $HOME_NET any -> [43.240.239.254] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757832/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757832; rev:1;) alert tcp $HOME_NET any -> [103.39.16.238] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757833/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757833; rev:1;) alert tcp $HOME_NET any -> [23.248.213.124] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757834/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757834; rev:1;) alert tcp $HOME_NET any -> [156.234.21.198] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757835/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757835; rev:1;) alert tcp $HOME_NET any -> [43.249.172.110] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757829/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757829; rev:1;) alert tcp $HOME_NET any -> [43.240.239.242] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757830/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757830; rev:1;) alert tcp $HOME_NET any -> [23.248.213.115] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757831/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757831; rev:1;) alert tcp $HOME_NET any -> [156.234.21.210] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757826/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757826; rev:1;) alert tcp $HOME_NET any -> [156.234.21.201] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757827/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757827; rev:1;) alert tcp $HOME_NET any -> [23.226.58.100] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757828/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757828; rev:1;) alert tcp $HOME_NET any -> [103.39.16.254] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757822/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757822; rev:1;) alert tcp $HOME_NET any -> [103.41.7.226] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757823/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757823; rev:1;) alert tcp $HOME_NET any -> [103.39.16.247] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757824/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757824; rev:1;) alert tcp $HOME_NET any -> [103.41.7.236] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757825/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757825; rev:1;) alert tcp $HOME_NET any -> [43.240.239.231] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757819/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757819; rev:1;) alert tcp $HOME_NET any -> [23.226.58.123] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757820/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757820; rev:1;) alert tcp $HOME_NET any -> [23.248.213.108] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757821/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757821; rev:1;) alert tcp $HOME_NET any -> [23.226.58.104] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757817/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757817; rev:1;) alert tcp $HOME_NET any -> [43.249.172.100] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757818/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757818; rev:1;) alert tcp $HOME_NET any -> [23.226.48.215] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757814/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757814; rev:1;) alert tcp $HOME_NET any -> [103.39.16.226] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757815/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757815; rev:1;) alert tcp $HOME_NET any -> [103.41.7.253] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757816/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757816; rev:1;) alert tcp $HOME_NET any -> [103.41.7.240] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757811/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757811; rev:1;) alert tcp $HOME_NET any -> [103.39.16.236] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757812/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757812; rev:1;) alert tcp $HOME_NET any -> [103.39.16.240] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757813/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757813; rev:1;) alert tcp $HOME_NET any -> [103.39.16.242] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757807/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757807; rev:1;) alert tcp $HOME_NET any -> [103.41.7.228] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757808/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757808; rev:1;) alert tcp $HOME_NET any -> [156.234.21.214] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757809/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757809; rev:1;) alert tcp $HOME_NET any -> [23.248.213.116] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757810/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757810; rev:1;) alert tcp $HOME_NET any -> [23.248.213.107] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757804/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757804; rev:1;) alert tcp $HOME_NET any -> [103.41.7.233] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757805/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757805; rev:1;) alert tcp $HOME_NET any -> [156.234.21.200] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757806/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757806; rev:1;) alert tcp $HOME_NET any -> [156.234.21.212] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757800/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757800; rev:1;) alert tcp $HOME_NET any -> [103.39.16.225] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757801/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757801; rev:1;) alert tcp $HOME_NET any -> [43.249.175.198] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757802/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757802; rev:1;) alert tcp $HOME_NET any -> [156.234.21.222] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757803/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757803; rev:1;) alert tcp $HOME_NET any -> [103.41.7.227] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757797/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757797; rev:1;) alert tcp $HOME_NET any -> [23.226.58.106] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757798/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757798; rev:1;) alert tcp $HOME_NET any -> [23.226.58.117] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757799/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757799; rev:1;) alert tcp $HOME_NET any -> [103.41.7.242] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757794/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757794; rev:1;) alert tcp $HOME_NET any -> [23.226.58.105] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757795/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757795; rev:1;) alert tcp $HOME_NET any -> [43.249.172.124] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757796/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757796; rev:1;) alert tcp $HOME_NET any -> [103.39.16.244] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757791/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757791; rev:1;) alert tcp $HOME_NET any -> [103.39.16.237] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757792/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757792; rev:1;) alert tcp $HOME_NET any -> [43.249.175.213] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757793/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757793; rev:1;) alert tcp $HOME_NET any -> [156.234.21.204] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757787/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757787; rev:1;) alert tcp $HOME_NET any -> [103.39.16.230] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757788/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757788; rev:1;) alert tcp $HOME_NET any -> [23.226.48.203] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757789/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757789; rev:1;) alert tcp $HOME_NET any -> [23.226.58.112] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757790/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757790; rev:1;) alert tcp $HOME_NET any -> [103.41.7.248] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757784/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757784; rev:1;) alert tcp $HOME_NET any -> [103.39.16.248] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757785/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757785; rev:1;) alert tcp $HOME_NET any -> [23.248.213.101] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757786/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757786; rev:1;) alert tcp $HOME_NET any -> [23.248.213.99] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757782/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757782; rev:1;) alert tcp $HOME_NET any -> [103.41.7.229] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757783/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757783; rev:1;) alert tcp $HOME_NET any -> [23.248.213.105] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757779/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757779; rev:1;) alert tcp $HOME_NET any -> [43.249.172.121] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757780/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757780; rev:1;) alert tcp $HOME_NET any -> [103.39.16.243] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757781/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757781; rev:1;) alert tcp $HOME_NET any -> [103.39.16.229] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757776/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757776; rev:1;) alert tcp $HOME_NET any -> [43.240.239.251] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757777/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757777; rev:1;) alert tcp $HOME_NET any -> [103.39.16.234] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757778/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757778; rev:1;) alert tcp $HOME_NET any -> [103.41.7.251] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757773/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757773; rev:1;) alert tcp $HOME_NET any -> [103.39.16.249] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757774/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757774; rev:1;) alert tcp $HOME_NET any -> [156.234.21.215] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757775/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757775; rev:1;) alert tcp $HOME_NET any -> [23.226.48.201] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757769/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757769; rev:1;) alert tcp $HOME_NET any -> [23.226.58.102] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757770/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757770; rev:1;) alert tcp $HOME_NET any -> [43.240.239.225] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757771/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757771; rev:1;) alert tcp $HOME_NET any -> [43.249.172.114] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757772/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757772; rev:1;) alert tcp $HOME_NET any -> [23.248.213.104] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757766/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757766; rev:1;) alert tcp $HOME_NET any -> [103.39.16.241] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757767/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757767; rev:1;) alert tcp $HOME_NET any -> [43.249.172.113] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757768/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757768; rev:1;) alert tcp $HOME_NET any -> [23.226.58.103] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757763/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757763; rev:1;) alert tcp $HOME_NET any -> [43.249.172.108] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757764/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757764; rev:1;) alert tcp $HOME_NET any -> [43.240.239.233] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757765/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757765; rev:1;) alert tcp $HOME_NET any -> [23.226.58.114] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757760/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757760; rev:1;) alert tcp $HOME_NET any -> [43.249.175.210] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757761/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757761; rev:1;) alert tcp $HOME_NET any -> [43.249.175.200] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757762/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757762; rev:1;) alert tcp $HOME_NET any -> [43.249.172.116] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757757/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757757; rev:1;) alert tcp $HOME_NET any -> [103.39.16.253] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757758/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757758; rev:1;) alert tcp $HOME_NET any -> [43.249.175.193] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757759/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757759; rev:1;) alert tcp $HOME_NET any -> [23.226.48.207] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757754/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757754; rev:1;) alert tcp $HOME_NET any -> [43.249.172.99] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757755/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757755; rev:1;) alert tcp $HOME_NET any -> [103.41.7.237] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757756/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757756; rev:1;) alert tcp $HOME_NET any -> [23.248.213.120] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757751/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757751; rev:1;) alert tcp $HOME_NET any -> [156.234.21.203] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757752/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757752; rev:1;) alert tcp $HOME_NET any -> [23.248.213.100] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757753/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757753; rev:1;) alert tcp $HOME_NET any -> [23.248.213.112] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757748/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757748; rev:1;) alert tcp $HOME_NET any -> [43.249.172.111] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757749/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757749; rev:1;) alert tcp $HOME_NET any -> [103.41.7.249] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757750/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757750; rev:1;) alert tcp $HOME_NET any -> [23.248.213.125] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757745/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757745; rev:1;) alert tcp $HOME_NET any -> [103.41.7.234] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757746/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757746; rev:1;) alert tcp $HOME_NET any -> [43.240.239.227] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757747/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757747; rev:1;) alert tcp $HOME_NET any -> [43.249.172.123] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757742/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757742; rev:1;) alert tcp $HOME_NET any -> [43.240.239.244] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757743/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757743; rev:1;) alert tcp $HOME_NET any -> [43.249.175.211] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757744/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757744; rev:1;) alert tcp $HOME_NET any -> [43.249.175.195] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757739/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757739; rev:1;) alert tcp $HOME_NET any -> [103.41.7.241] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757740/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757740; rev:1;) alert tcp $HOME_NET any -> [156.234.21.194] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757741/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757741; rev:1;) alert tcp $HOME_NET any -> [156.234.21.199] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757736/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757736; rev:1;) alert tcp $HOME_NET any -> [23.248.213.109] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757737/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757737; rev:1;) alert tcp $HOME_NET any -> [23.226.58.110] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757738/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757738; rev:1;) alert tcp $HOME_NET any -> [43.249.175.216] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757732/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757732; rev:1;) alert tcp $HOME_NET any -> [23.226.58.111] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757733/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757733; rev:1;) alert tcp $HOME_NET any -> [23.226.48.220] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757734/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757734; rev:1;) alert tcp $HOME_NET any -> [43.249.175.204] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757735/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757735; rev:1;) alert tcp $HOME_NET any -> [43.249.175.206] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757729/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757729; rev:1;) alert tcp $HOME_NET any -> [43.240.239.226] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757730/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757730; rev:1;) alert tcp $HOME_NET any -> [23.226.48.209] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757731/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757731; rev:1;) alert tcp $HOME_NET any -> [43.240.239.246] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757727/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757727; rev:1;) alert tcp $HOME_NET any -> [43.249.175.207] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757728/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757728; rev:1;) alert tcp $HOME_NET any -> [43.249.172.101] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757726/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757726; rev:1;) alert tcp $HOME_NET any -> [23.226.48.212] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757722/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757722; rev:1;) alert tcp $HOME_NET any -> [43.249.172.107] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757723/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757723; rev:1;) alert tcp $HOME_NET any -> [23.226.48.195] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757724/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757724; rev:1;) alert tcp $HOME_NET any -> [23.248.213.103] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757725/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757725; rev:1;) alert tcp $HOME_NET any -> [156.234.21.220] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757719/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757719; rev:1;) alert tcp $HOME_NET any -> [23.248.213.106] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757720/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757720; rev:1;) alert tcp $HOME_NET any -> [23.226.58.119] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757721/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757721; rev:1;) alert tcp $HOME_NET any -> [23.248.213.119] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757716/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757716; rev:1;) alert tcp $HOME_NET any -> [103.41.7.245] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757717/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757717; rev:1;) alert tcp $HOME_NET any -> [103.41.7.246] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757718/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757718; rev:1;) alert tcp $HOME_NET any -> [103.41.7.244] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757713/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757713; rev:1;) alert tcp $HOME_NET any -> [103.39.16.251] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757714/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757714; rev:1;) alert tcp $HOME_NET any -> [43.240.239.238] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757715/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757715; rev:1;) alert tcp $HOME_NET any -> [43.249.175.221] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757710/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757710; rev:1;) alert tcp $HOME_NET any -> [23.226.58.122] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757711/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757711; rev:1;) alert tcp $HOME_NET any -> [23.226.48.210] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757712/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757712; rev:1;) alert tcp $HOME_NET any -> [23.226.48.197] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757707/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757707; rev:1;) alert tcp $HOME_NET any -> [23.226.48.194] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757708/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757708; rev:1;) alert tcp $HOME_NET any -> [23.226.58.98] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757709/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757709; rev:1;) alert tcp $HOME_NET any -> [23.226.48.211] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757705/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757705; rev:1;) alert tcp $HOME_NET any -> [43.249.172.102] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757706/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757706; rev:1;) alert tcp $HOME_NET any -> [23.226.48.208] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757702/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757702; rev:1;) alert tcp $HOME_NET any -> [103.41.7.231] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757703/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757703; rev:1;) alert tcp $HOME_NET any -> [156.234.21.206] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757704/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757704; rev:1;) alert tcp $HOME_NET any -> [103.39.16.246] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757699/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757699; rev:1;) alert tcp $HOME_NET any -> [103.39.16.228] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757700/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757700; rev:1;) alert tcp $HOME_NET any -> [23.248.213.118] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757701/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757701; rev:1;) alert tcp $HOME_NET any -> [43.249.175.217] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757697/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757697; rev:1;) alert tcp $HOME_NET any -> [43.249.175.201] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757698/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757698; rev:1;) alert tcp $HOME_NET any -> [23.226.58.97] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757694/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757694; rev:1;) alert tcp $HOME_NET any -> [43.240.239.243] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757695/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757695; rev:1;) alert tcp $HOME_NET any -> [103.39.16.233] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757696/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757696; rev:1;) alert tcp $HOME_NET any -> [43.240.239.236] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757691/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757691; rev:1;) alert tcp $HOME_NET any -> [156.234.21.221] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757692/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757692; rev:1;) alert tcp $HOME_NET any -> [23.226.48.205] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757693/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757693; rev:1;) alert tcp $HOME_NET any -> [43.240.239.247] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757688/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757688; rev:1;) alert tcp $HOME_NET any -> [43.240.239.239] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757689/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757689; rev:1;) alert tcp $HOME_NET any -> [43.249.172.106] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757690/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757690; rev:1;) alert tcp $HOME_NET any -> [103.41.7.250] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757686/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757686; rev:1;) alert tcp $HOME_NET any -> [23.226.58.116] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757687/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757687; rev:1;) alert tcp $HOME_NET any -> [43.249.175.208] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757684/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757684; rev:1;) alert tcp $HOME_NET any -> [43.249.172.112] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757685/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757685; rev:1;) alert tcp $HOME_NET any -> [43.249.172.109] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757681/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757681; rev:1;) alert tcp $HOME_NET any -> [43.240.239.249] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757682/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757682; rev:1;) alert tcp $HOME_NET any -> [156.234.21.197] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757683/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757683; rev:1;) alert tcp $HOME_NET any -> [23.226.48.219] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757679/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757679; rev:1;) alert tcp $HOME_NET any -> [43.249.172.104] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757680/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757680; rev:1;) alert tcp $HOME_NET any -> [23.248.213.110] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757677/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757677; rev:1;) alert tcp $HOME_NET any -> [23.226.48.222] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757678/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757678; rev:1;) alert tcp $HOME_NET any -> [156.234.21.195] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757675/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757675; rev:1;) alert tcp $HOME_NET any -> [23.226.48.214] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757676/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757676; rev:1;) alert tcp $HOME_NET any -> [43.249.172.97] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757673/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757673; rev:1;) alert tcp $HOME_NET any -> [23.226.58.120] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757674/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757674; rev:1;) alert tcp $HOME_NET any -> [43.240.239.252] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757671/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757671; rev:1;) alert tcp $HOME_NET any -> [103.39.16.245] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757672/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757672; rev:1;) alert tcp $HOME_NET any -> [156.234.21.219] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757670/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757670; rev:1;) alert tcp $HOME_NET any -> [103.39.16.239] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757669/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757669; rev:1;) alert tcp $HOME_NET any -> [43.240.239.250] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757668/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757668; rev:1;) alert tcp $HOME_NET any -> [43.249.175.222] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757666/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757666; rev:1;) alert tcp $HOME_NET any -> [43.249.175.196] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757667/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757667; rev:1;) alert tcp $HOME_NET any -> [23.248.213.111] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757664/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757664; rev:1;) alert tcp $HOME_NET any -> [43.249.172.98] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757665/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757665; rev:1;) alert tcp $HOME_NET any -> [43.249.175.199] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757662/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757662; rev:1;) alert tcp $HOME_NET any -> [23.248.213.126] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757663/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757663; rev:1;) alert tcp $HOME_NET any -> [43.249.172.125] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757660/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757660; rev:1;) alert tcp $HOME_NET any -> [43.240.239.248] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757661/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757661; rev:1;) alert tcp $HOME_NET any -> [156.234.21.205] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757658/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757658; rev:1;) alert tcp $HOME_NET any -> [103.39.16.227] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757659/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757659; rev:1;) alert tcp $HOME_NET any -> [23.248.213.122] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757656/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757656; rev:1;) alert tcp $HOME_NET any -> [43.240.239.245] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757657/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757657; rev:1;) alert tcp $HOME_NET any -> [23.226.58.107] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757654/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757654; rev:1;) alert tcp $HOME_NET any -> [43.249.172.119] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757655/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757655; rev:1;) alert tcp $HOME_NET any -> [23.226.58.115] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757652/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757652; rev:1;) alert tcp $HOME_NET any -> [23.226.48.218] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757653/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757653; rev:1;) alert tcp $HOME_NET any -> [23.226.48.213] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757649/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757649; rev:1;) alert tcp $HOME_NET any -> [103.41.7.238] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757650/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757650; rev:1;) alert tcp $HOME_NET any -> [23.226.48.206] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757651/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757651; rev:1;) alert tcp $HOME_NET any -> [103.41.7.232] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757647/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757647; rev:1;) alert tcp $HOME_NET any -> [156.234.21.216] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757648/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757648; rev:1;) alert tcp $HOME_NET any -> [23.226.48.200] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757645/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757645; rev:1;) alert tcp $HOME_NET any -> [23.226.48.221] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757646/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757646; rev:1;) alert tcp $HOME_NET any -> [23.248.213.98] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757642/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757642; rev:1;) alert tcp $HOME_NET any -> [23.226.58.121] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757643/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757643; rev:1;) alert tcp $HOME_NET any -> [156.234.21.208] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757644/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757644; rev:1;) alert tcp $HOME_NET any -> [23.226.48.204] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757640/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757640; rev:1;) alert tcp $HOME_NET any -> [43.249.172.117] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757641/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757641; rev:1;) alert tcp $HOME_NET any -> [43.249.172.122] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757638/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757638; rev:1;) alert tcp $HOME_NET any -> [103.41.7.239] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757639/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757639; rev:1;) alert tcp $HOME_NET any -> [43.240.239.232] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757635/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757635; rev:1;) alert tcp $HOME_NET any -> [23.226.58.108] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757636/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757636; rev:1;) alert tcp $HOME_NET any -> [43.240.239.237] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757637/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757637; rev:1;) alert tcp $HOME_NET any -> [156.234.21.207] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757632/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757632; rev:1;) alert tcp $HOME_NET any -> [43.249.172.126] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757633/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757633; rev:1;) alert tcp $HOME_NET any -> [23.226.48.196] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757634/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757634; rev:1;) alert tcp $HOME_NET any -> [23.248.213.117] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757630/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757630; rev:1;) alert tcp $HOME_NET any -> [43.240.239.228] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757631/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757631; rev:1;) alert tcp $HOME_NET any -> [23.226.48.216] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757628/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757628; rev:1;) alert tcp $HOME_NET any -> [23.248.213.102] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757629/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"trail-net.goldtrail.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757627/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"loureiroeazevedo.adv.br"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757625/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gold04.goldtrail.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757622/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"manoumanwell.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757620/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lp.novoselementos.com.br"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757616/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757616; rev:1;) alert tcp $HOME_NET any -> [102.217.238.0] 5214 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757606/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lhcom.j-hodgson.co.uk"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757605/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p-89qeketo.ru.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757603/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"americas.us.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757602/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757602; rev:1;) alert tcp $HOME_NET any -> [194.87.54.114] 6666 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757601/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lp.espacosparaeventos.com.br"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757599/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757599; rev:1;) alert tcp $HOME_NET any -> [89.124.82.121] 443 (msg:"ThreatFox Amatera botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757598/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asahikg.co"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757585/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"texashydrowork.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757586/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nw/js/min.js"; depth:13; nocase; http.host; content:"asahikg.co"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757587/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nw/config/config.js"; depth:20; nocase; http.host; content:"asahikg.co"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757588/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nw/js/loader.js"; depth:16; nocase; http.host; content:"asahikg.co"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757589/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yku5c7eb"; depth:9; nocase; http.host; content:"texashydrowork.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757590/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yku5c7eb"; depth:9; nocase; http.host; content:"texashydrowork.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757591/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757591; rev:1;) alert tcp $HOME_NET any -> [178.16.54.80] 3000 (msg:"ThreatFox Unknown Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757596/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"red09.redhaven.in.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757597/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lp.adlersocial.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757595/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"haven-x.redhaven.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757594/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"redbase.redhaven.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757593/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"floridamovietheaters.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757592/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marceloubaldo.com.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757584/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"forest-run.oaktrail.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757583/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oak05.oaktrail.in.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757582/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757582; rev:1;) alert tcp $HOME_NET any -> [3.113.26.115] 38423 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757580/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757580; rev:1;) alert tcp $HOME_NET any -> [3.113.26.115] 14773 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757579/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757579; rev:1;) alert tcp $HOME_NET any -> [51.16.49.54] 47001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757578/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757578; rev:1;) alert tcp $HOME_NET any -> [51.16.49.54] 11101 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757577/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757577; rev:1;) alert tcp $HOME_NET any -> [63.179.100.153] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757576/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"trail-v2.oaktrail.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757575/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757575; rev:1;) alert tcp $HOME_NET any -> [94.26.106.198] 2222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757574/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757574; rev:1;) alert tcp $HOME_NET any -> [185.196.11.203] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757573/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757573; rev:1;) alert tcp $HOME_NET any -> [89.124.85.4] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757572/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757572; rev:1;) alert tcp $HOME_NET any -> [83.8.129.208] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757571/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757571; rev:1;) alert tcp $HOME_NET any -> [89.44.9.85] 12696 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757570/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757570; rev:1;) alert tcp $HOME_NET any -> [168.61.44.251] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757569/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757569; rev:1;) alert tcp $HOME_NET any -> [23.226.56.197] 3751 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757568/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oakpath.oaktrail.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757563/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sunflow.suncrest.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757564/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"solarbase.suncrest.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757565/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crest01.suncrest.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757566/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sun-node.suncrest.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757567/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marcavalado.anavalado.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757562/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oakpath.oaktrail.in.net@80"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757561/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"website-9988a09b.mobimark.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757543/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"karlachacon.ch"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757544/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mabosfloor.ch"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757545/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"insurance.loanroad.co.uk"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757546/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lcontrols8.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757547/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kalongo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757548/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"health.wnyagent.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757549/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lcontrols10.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757550/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lcontrols9.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757551/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lcontrols8.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757552/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lcontrols4.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757553/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lcontrols2.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757554/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lcontrols3.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757555/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lcontrols5.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757556/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lcontrols6.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757557/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"livingstonscleaning.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757558/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"3-acc-domain.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757559/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"3accdomain2.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757560/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"msg-booking.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757522/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tesllamacapp.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757523/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sqlcapture.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757524/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vandyuk.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757525/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yuu-jinsei.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757526/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yutoku-plusoneshop.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757527/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zoolasuites.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757528/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wodan-trading.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757529/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zingst-ostsee.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757530/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xq5.dev"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757531/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www2.clv.it"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757532/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zingst24.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757533/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wanya-no-heya.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757534/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webbklubben.se"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757535/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"d3tool.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757536/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bornodatabase.ng"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757537/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ec2-13-233-119-235.ap-south-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757538/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"admin.falconpayglobal.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757539/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mobileloavestc.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757540/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cmevents.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757541/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"adrianadecastrojewelry.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757542/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"neletuchi.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757500/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zqmk9ymc1hx0kumrm0v5awvv.t3.storage.dev"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757501/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ai-informer.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757502/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fundingfactors.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757503/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gieable.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757504/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"namsioc.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757505/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"canacopachuca.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757506/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gdckupwara.edu.in"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757507/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"polbath.co.uk"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757508/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"web135.140.hosttech.eu"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757509/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"si-co.jp"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757510/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yomogi-2203.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757511/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wrike.os.ogilvy.africa"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757512/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"westcoastwine.co.za"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757513/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wifi-dengen.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757514/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vallealto.unocode.dev"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757515/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"uk-yakutsk.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757516/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"test.organia.lk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757517/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vimo.ddsis.com.mx"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757518/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tv.rapigra.co.id"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757519/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"spectrumtechconsulting.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757520/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"resodanse-salsa.ch"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757521/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757521; rev:1;) alert tcp $HOME_NET any -> [170.64.238.23] 32561 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757499/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/plugin/snoopy/board/register.php"; depth:41; nocase; http.host; content:"techcross-wne.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757277/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757277; rev:1;) alert tcp $HOME_NET any -> [89.106.65.100] 9035 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757485/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkoyz.tollabemakki.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757494/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asteriaproject.dstat.click"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757498/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757498; rev:1;) alert tcp $HOME_NET any -> [91.92.242.13] 35342 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757497/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757497; rev:1;) alert tcp $HOME_NET any -> [212.118.43.167] 7777 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757496/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757496; rev:1;) alert tcp $HOME_NET any -> [144.124.235.102] 443 (msg:"ThreatFox Amatera botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757493/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757493; rev:1;) alert tcp $HOME_NET any -> [1.230.16.57] 5050 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757492/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pjnwbd.za.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757491/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pubs.eu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757490/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vee.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757489/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buy-cheap-online.us.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757488/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.belaijobackup2.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757487/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.belaijobackup1.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757486/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757486; rev:1;) alert tcp $HOME_NET any -> [209.90.234.55] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757484/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757484; rev:1;) alert tcp $HOME_NET any -> [185.196.11.167] 1604 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757427/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"manuelee.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757415/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757415; rev:1;) alert tcp $HOME_NET any -> [91.84.126.69] 443 (msg:"ThreatFox Amatera botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757389/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757389; rev:1;) alert tcp $HOME_NET any -> [46.151.182.245] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757285/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757285; rev:1;) alert tcp $HOME_NET any -> [31.57.216.28] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757286/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757286; rev:1;) alert tcp $HOME_NET any -> [130.12.182.175] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757287/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757287; rev:1;) alert tcp $HOME_NET any -> [130.12.180.144] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757288/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757288; rev:1;) alert tcp $HOME_NET any -> [130.12.180.119] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757289/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757289; rev:1;) alert tcp $HOME_NET any -> [130.12.180.85] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757290/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757290; rev:1;) alert tcp $HOME_NET any -> [31.57.216.27] 431 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757291/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.jhotpot.com.bd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757283/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.cricket-physio.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757284/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bot.jhotpot.com.bd"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757281/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bot.cricket-physio.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757282/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757282; rev:1;) alert tcp $HOME_NET any -> [45.128.118.140] 9111 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757280/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mantena.mg.gov.br"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757279/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mansi.cmpatelandcompany.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757278/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757278; rev:1;) alert tcp $HOME_NET any -> [83.142.209.47] 1420 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757149/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/997dfa4c91"; depth:11; nocase; http.host; content:"46.226.162.174"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757269/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/997dfa4c912.sh"; depth:15; nocase; http.host; content:"46.226.162.174"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757270/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"45.32.50.118"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757271/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757271; rev:1;) alert tcp $HOME_NET any -> [45.32.50.118] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757272/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757272; rev:1;) alert tcp $HOME_NET any -> [46.226.162.174] 80 (msg:"ThreatFox Vidar payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757273/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_03; classtype:trojan-activity; sid:91757273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5h2s.js"; depth:8; nocase; http.host; content:"medipeads.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757274/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"medipeads.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757275/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"medipeads.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757276/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"solarbase.suncrest.in.net@80"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757267/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"crest01.suncrest.in.net@80"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757266/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757266; rev:1;) alert tcp $HOME_NET any -> [37.228.129.224] 3688 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757265/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757265; rev:1;) alert tcp $HOME_NET any -> [199.101.111.92] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757264/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757264; rev:1;) alert tcp $HOME_NET any -> [13.246.39.7] 6005 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757263/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757263; rev:1;) alert tcp $HOME_NET any -> [193.233.112.39] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757262/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757262; rev:1;) alert tcp $HOME_NET any -> [193.233.112.39] 6666 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757261/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757261; rev:1;) alert tcp $HOME_NET any -> [116.102.239.155] 7000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757260/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757260; rev:1;) alert tcp $HOME_NET any -> [157.15.125.134] 59529 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757259/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hazesenpai67-61821.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757258/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757258; rev:1;) alert tcp $HOME_NET any -> [47.101.173.206] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757257/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757257; rev:1;) alert tcp $HOME_NET any -> [138.128.223.195] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757256/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757256; rev:1;) alert tcp $HOME_NET any -> [42.194.154.35] 6000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757255/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"friovjk.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757254/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sun-node.suncrest.in.net@80"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757253/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757253; rev:1;) alert tcp $HOME_NET any -> [192.109.200.131] 53058 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757252/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z4fwpj6c.podkaraultempera.digital"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757251/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ulnskj7j.podkaraultempera.digital"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757250/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"app-google3.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757249/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_03; classtype:trojan-activity; sid:91757249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"majekssoftware.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757248/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"newangelnewlifenewhopeformoneygetrichbac.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757247/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_03; classtype:trojan-activity; sid:91757247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"smartmultiservice.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757246/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_03; classtype:trojan-activity; sid:91757246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8581062014:aaelvytjqrxbzgqq27pi1h4gchls-hab2e4/"; depth:51; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757245/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_03; classtype:trojan-activity; sid:91757245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"szfwq888.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757243/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yandibaiji0219.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757244/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757244; rev:1;) alert tcp $HOME_NET any -> [47.84.16.249] 6868 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757239/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757239; rev:1;) alert tcp $HOME_NET any -> [148.66.11.10] 7777 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757240/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757240; rev:1;) alert tcp $HOME_NET any -> [143.92.34.55] 19021 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757241/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757241; rev:1;) alert tcp $HOME_NET any -> [148.66.11.10] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757242/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757242; rev:1;) alert tcp $HOME_NET any -> [160.191.182.13] 9999 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757238/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bobnet.exiled.fit"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757232/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"olrvjjldlynhaixm.camdvr.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757233/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcuyypjhxgjppihi.kozow.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757234/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"67sexy.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757235/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oonpczqujhsboufx.loseyourip.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757236/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmojjtdxqmjuepmh.freeddns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757237/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rpsslpjavhdodnio.webredirect.org"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757231/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"changllinstocks.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757228/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mastercliente.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757229/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lubumbapetr.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757230/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alkhal015.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757227/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"slavarossiisosathohli.com"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1757225/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.31.221.193"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1757226/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757226; rev:1;) alert tcp $HOME_NET any -> [45.88.9.19] 5555 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757224/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8275021923:aahjepfj6glfxhmscg9tsjlozxli_asigto/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757221/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8580261409:aagvwpcxecyuihbbu0qmgi2bllslap41epo/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757222/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8297692784:aah7sbb6kkvc8wpv8cr3cv7mkdeicsvdjtk/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757223/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757223; rev:1;) alert tcp $HOME_NET any -> [188.137.224.125] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757220/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bucket-grievance.with.playit.plus"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757217/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.trillex.io"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757218/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.trillex.io"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757219/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.trillex.io"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757214/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.trillex.io"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757215/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.healthcaretrends.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757216/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"healthcaretrends.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757212/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.xoilacxyt.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757213/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.xoilacxyt.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757211/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.trillex.io"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757210/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.xoilacxyt.tv"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757207/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.trillex.io"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757208/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.xoilacxyt.tv"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757209/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.trillex.io"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757203/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.uykhur.za.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757204/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.trillex.io"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757205/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.hunewsbaytara23.za.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757206/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.xoilacxyt.tv"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757202/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.trillex.io"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757198/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hunewsbaytara23.za.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757199/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.xoilacxyt.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757200/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.xoilacxyt.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757201/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gatex.sitthereanddonothing.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757195/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.xoilacxyt.tv"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757196/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.xoilacxyt.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757197/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.trillex.io"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757194/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.royal-sea-6c18.firebrainss.workers.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757193/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.royal-sea-6c18.firebrainss.workers.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757190/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.royal-sea-6c18.firebrainss.workers.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757191/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.royal-sea-6c18.firebrainss.workers.dev"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757192/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.royal-sea-6c18.firebrainss.workers.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757185/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.royal-sea-6c18.firebrainss.workers.dev"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757186/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.royal-sea-6c18.firebrainss.workers.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757187/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.royal-sea-6c18.firebrainss.workers.dev"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757188/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.royal-sea-6c18.firebrainss.workers.dev"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757189/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fogwharf.graydock.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757184/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757184; rev:1;) alert tcp $HOME_NET any -> [74.0.32.234] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757176/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757176; rev:1;) alert tcp $HOME_NET any -> [207.180.58.207] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757177/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757177; rev:1;) alert tcp $HOME_NET any -> [151.247.22.19] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757178/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757178; rev:1;) alert tcp $HOME_NET any -> [89.125.37.85] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757179/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757179; rev:1;) alert tcp $HOME_NET any -> [151.247.193.169] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757180/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757180; rev:1;) alert tcp $HOME_NET any -> [95.217.50.21] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757181/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757181; rev:1;) alert tcp $HOME_NET any -> [95.217.50.19] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757182/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757182; rev:1;) alert tcp $HOME_NET any -> [95.217.50.20] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757183/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pks.jhotpot.com.bd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757174/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pks.cricket-matters.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757175/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"89.125.37.85"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757167/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"151.247.193.169"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757168/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.50.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757169/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.50.19"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757170/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.50.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757171/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pks.jhotpot.com.bd"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757172/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pks.cricket-matters.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757173/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"207.180.58.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757165/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"151.247.22.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757166/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757166; rev:1;) alert tcp $HOME_NET any -> [43.209.130.124] 501 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757163/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757163; rev:1;) alert tcp $HOME_NET any -> [43.209.130.124] 7001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757164/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757164; rev:1;) alert tcp $HOME_NET any -> [103.177.47.104] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757161/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757161; rev:1;) alert tcp $HOME_NET any -> [162.0.222.204] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757162/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757162; rev:1;) alert tcp $HOME_NET any -> [154.36.188.196] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757160/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757160; rev:1;) alert tcp $HOME_NET any -> [91.92.243.188] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757159/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757159; rev:1;) alert tcp $HOME_NET any -> [46.101.155.149] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757158/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757158; rev:1;) alert tcp $HOME_NET any -> [69.197.187.218] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757157/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757157; rev:1;) alert tcp $HOME_NET any -> [176.120.22.176] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757156/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757156; rev:1;) alert tcp $HOME_NET any -> [43.139.187.115] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757155/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757155; rev:1;) alert tcp $HOME_NET any -> [172.206.105.159] 465 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757154/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757154; rev:1;) alert tcp $HOME_NET any -> [193.29.59.159] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757153/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757153; rev:1;) alert tcp $HOME_NET any -> [95.211.40.80] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757152/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757152; rev:1;) alert tcp $HOME_NET any -> [43.249.172.103] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757151/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757151; rev:1;) alert tcp $HOME_NET any -> [207.148.9.67] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757150/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mainecourtreporting.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757148/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757148; rev:1;) alert tcp $HOME_NET any -> [142.171.227.141] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757147/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757147; rev:1;) alert tcp $HOME_NET any -> [47.107.139.30] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757146/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757146; rev:1;) alert tcp $HOME_NET any -> [37.221.66.164] 39827 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757145/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"halleyforsaf.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757143/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marimarivelley.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757144/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757144; rev:1;) alert tcp $HOME_NET any -> [141.11.107.134] 4040 (msg:"ThreatFox ConnectBack botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757142/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757142; rev:1;) alert tcp $HOME_NET any -> [91.92.243.78] 5057 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757141/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"customer.grovecityroofing.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757035/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xpertlearninghub.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757034/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/create"; depth:7; nocase; http.host; content:"xpertlearninghub.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757033/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/handle"; depth:7; nocase; http.host; content:"79.141.163.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757023/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/poll"; depth:5; nocase; http.host; content:"crexityous.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757022/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gateway/tenant-partial.js"; depth:26; nocase; http.host; content:"retrepoint.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757021/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gateway/verify-service.php"; depth:27; nocase; http.host; content:"retrepoint.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757020/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"retrepoint.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757019/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gateway/proxy-thread.js"; depth:24; nocase; http.host; content:"retrepoint.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757018/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ai-informer.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756972/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_03; classtype:trojan-activity; sid:91756972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verify-to-continue-id-rttpros-260301-4223.html"; depth:47; nocase; http.host; content:"zqmk9ymc1hx0kumrm0v5awvv.t3.storage.dev"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757029/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_03; classtype:trojan-activity; sid:91757029; rev:1;) alert tcp $HOME_NET any -> [58.74.6.14] 1999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757040/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"support.grovecityelectrician.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757044/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cpanel.siefertfamilydentistry.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757047/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"45.38.42.197"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757048/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xhamster.html"; depth:14; nocase; http.host; content:"neletuchi.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757067/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_03; classtype:trojan-activity; sid:91757067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.html"; depth:11; nocase; http.host; content:"flow-cdn.t3.storage.dev"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757138/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_03; classtype:trojan-activity; sid:91757138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/409cd9f3b98c7e6e96e/84x7k7op.1fspl"; depth:35; nocase; http.host; content:"45.81.39.169"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1757140/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghsyhk.za.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757139/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ynvgx9hh15.localto.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757137/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"magicbarry.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757135/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"magazin.obbzor.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757134/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757134; rev:1;) alert tcp $HOME_NET any -> [46.153.215.185] 443 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757133/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757133; rev:1;) alert tcp $HOME_NET any -> [18.175.118.210] 993 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757132/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757132; rev:1;) alert tcp $HOME_NET any -> [102.98.204.172] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757131/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757131; rev:1;) alert tcp $HOME_NET any -> [217.60.7.59] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757130/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757130; rev:1;) alert tcp $HOME_NET any -> [69.167.10.146] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757128/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757128; rev:1;) alert tcp $HOME_NET any -> [217.60.7.59] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757129/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757129; rev:1;) alert tcp $HOME_NET any -> [193.233.112.39] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757127/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757127; rev:1;) alert tcp $HOME_NET any -> [13.48.70.159] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757126/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757126; rev:1;) alert tcp $HOME_NET any -> [107.172.13.197] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757125/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757125; rev:1;) alert tcp $HOME_NET any -> [185.135.84.165] 4444 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757123/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757123; rev:1;) alert tcp $HOME_NET any -> [141.98.10.162] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757124/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757124; rev:1;) alert tcp $HOME_NET any -> [189.150.83.81] 2312 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757122/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"milfs.xvideoclip.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757121/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mincho.site.tb-hosting.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757120/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757120; rev:1;) alert tcp $HOME_NET any -> [144.31.167.46] 5173 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757119/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"madeleinemcmichael.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757118/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"klinklin.okonlomon.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757117/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_03; classtype:trojan-activity; sid:91757117; rev:1;) alert tcp $HOME_NET any -> [52.201.156.70] 1337 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757116/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757116; rev:1;) alert tcp $HOME_NET any -> [196.75.195.238] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757115/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757115; rev:1;) alert tcp $HOME_NET any -> [34.210.153.54] 2761 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757113/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757113; rev:1;) alert tcp $HOME_NET any -> [34.210.153.54] 11211 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757114/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757114; rev:1;) alert tcp $HOME_NET any -> [34.210.153.54] 1961 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757112/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757112; rev:1;) alert tcp $HOME_NET any -> [34.227.47.99] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757111/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757111; rev:1;) alert tcp $HOME_NET any -> [165.101.92.66] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757110/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757110; rev:1;) alert tcp $HOME_NET any -> [128.90.115.62] 9999 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757109/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757109; rev:1;) alert tcp $HOME_NET any -> [15.206.152.105] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757108/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757108; rev:1;) alert tcp $HOME_NET any -> [101.99.75.88] 51302 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757107/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757107; rev:1;) alert tcp $HOME_NET any -> [171.22.120.112] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757106/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757106; rev:1;) alert tcp $HOME_NET any -> [102.117.171.237] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757105/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757105; rev:1;) alert tcp $HOME_NET any -> [173.0.59.58] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757104/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757104; rev:1;) alert tcp $HOME_NET any -> [115.191.18.57] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757103/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757103; rev:1;) alert tcp $HOME_NET any -> [65.108.225.254] 445 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757102/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757102; rev:1;) alert tcp $HOME_NET any -> [34.203.36.89] 5000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757101/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757101; rev:1;) alert tcp $HOME_NET any -> [75.127.12.105] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757100/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757100; rev:1;) alert tcp $HOME_NET any -> [193.29.59.159] 80 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757099/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757099; rev:1;) alert tcp $HOME_NET any -> [104.250.161.126] 2090 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757098/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757098; rev:1;) alert tcp $HOME_NET any -> [77.90.185.21] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757096/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757096; rev:1;) alert tcp $HOME_NET any -> [130.12.181.35] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757097/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757097; rev:1;) alert tcp $HOME_NET any -> [31.57.216.45] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757095/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757095; rev:1;) alert tcp $HOME_NET any -> [103.124.106.223] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757094/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757094; rev:1;) alert tcp $HOME_NET any -> [150.241.73.11] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757093/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757093; rev:1;) alert tcp $HOME_NET any -> [156.234.21.218] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757092/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757092; rev:1;) alert tcp $HOME_NET any -> [47.107.139.30] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757091/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757091; rev:1;) alert tcp $HOME_NET any -> [185.189.12.199] 54545 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757090/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757090; rev:1;) alert tcp $HOME_NET any -> [156.234.56.34] 28711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757089/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757089; rev:1;) alert tcp $HOME_NET any -> [43.240.239.240] 3093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757088/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_03; classtype:trojan-activity; sid:91757088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lwgconsulting.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757087/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757087; rev:1;) alert tcp $HOME_NET any -> [46.183.218.150] 42830 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757086/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.gmo-compass.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757077/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.gmo-compass.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757078/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.gmo-compass.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757079/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.gmo-compass.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757080/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.gmo-compass.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757081/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.gmo-compass.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757082/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.gmo-compass.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757083/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.gmo-compass.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757084/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.gmo-compass.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757085/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.xoilacztx.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757068/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.xoilacztx.tv"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757069/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.xoilacztx.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757070/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.xoilacztx.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757071/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.xoilacztx.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757072/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.xoilacztx.tv"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757073/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.xoilacztx.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757074/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.xoilacztx.tv"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757075/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.xoilacztx.tv"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757076/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.barefootblonde.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757058/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.barefootblonde.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757059/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.barefootblonde.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757060/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.barefootblonde.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757061/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.barefootblonde.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757062/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.barefootblonde.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757063/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.barefootblonde.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757064/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.barefootblonde.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757065/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.barefootblonde.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757066/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.xoilaczhx.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757053/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.xoilaczhx.tv"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757054/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.xoilaczhx.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757055/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.xoilaczhx.tv"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757056/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.xoilaczhx.tv"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757057/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.xoilaczhx.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757049/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.xoilaczhx.tv"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757050/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.xoilaczhx.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757051/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.xoilaczhx.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757052/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757052; rev:1;) alert tcp $HOME_NET any -> [154.92.16.22] 22311 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757046/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"luxcocinas.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757045/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lynne.windley.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757043/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lynn.nutmeg.com.au"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757042/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lydianpayments.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757041/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lvrehc.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757039/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lux-improvement.nl"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757038/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lunkenbuilding.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757037/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757037; rev:1;) alert tcp $HOME_NET any -> [23.26.129.38] 24045 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757036/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757036; rev:1;) alert tcp $HOME_NET any -> [15.216.14.131] 43 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757032/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757032; rev:1;) alert tcp $HOME_NET any -> [147.45.69.34] 4443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757031/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757031; rev:1;) alert tcp $HOME_NET any -> [43.134.52.221] 22443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757030/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lunamedios.com.ar"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757028/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lummondo.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757027/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lumdokolola.nicolasalliot.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757026/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lukasbartos.cz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757025/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lujanyleon.graficaleon.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757024/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brasserieontarioaube.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757017/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sg1.localto.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757015/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757015; rev:1;) alert tcp $HOME_NET any -> [140.245.10.127] 7727 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1757016/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"npa.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757014/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tr88.br.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757013/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"itu.us.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757012/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"02070op.uk.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757011/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"healthmatters.eu.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757010/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jhv.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757009/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"establishment.uk.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757008/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pragmaticplay.it.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757007/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qik.it.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757006/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"isc.it.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757005/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ninja-browser.it.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757004/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"luciannethais.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757003/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lucia-stone.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757002/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ni3h0x2y.gastronsyriansky.digital"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757001/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t4305hzn.gastronsyriansky.digital"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1757000/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91757000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jakkakaskakasj.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756994/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asjkfalasfkaksflalaf.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756995/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boksopable.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756996/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bukpuka.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756997/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jasjdpoekkqwda.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756998/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jaskfakfafasjfafkasfkakfaasw.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756999/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bookstablesoon.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756992/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stayonbokablesol.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756993/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srvcmandatory.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756980/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srvc-av.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756981/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hotelsyscheck.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756982/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mandatoryhotel.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756983/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"localsrvcs.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756984/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hotelupdatesys.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756985/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"channelmanagerpms.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756986/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hotelservicemonitor.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756987/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hotelcncts.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756988/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srvc-mcrst.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756989/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chrm-srv.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756990/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ms-scedg.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756991/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"av-srvcn.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756973/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bozorki.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756974/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"homokiddo.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756975/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mndtrprcs.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756976/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nokolers.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756977/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"okolosedal.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756978/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rentalcentrals.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756979/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756979; rev:1;) alert tcp $HOME_NET any -> [91.211.251.249] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756971/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756971; rev:1;) alert tcp $HOME_NET any -> [116.203.167.195] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756970/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ltnworld.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756969/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/configpack.zip"; depth:15; nocase; http.host; content:"gamepinxjzr.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756952/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gamepinxjzr.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756948/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"gamepinxjzr.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756949/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.zip"; depth:9; nocase; http.host; content:"gamepinxjzr.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756950/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.php"; depth:9; nocase; http.host; content:"gamepinxjzr.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756951/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/helpu.php"; depth:10; nocase; http.host; content:"gamepinxjzr.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756953/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server.php"; depth:11; nocase; http.host; content:"gamepinxjzr.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756954/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756954; rev:1;) alert tcp $HOME_NET any -> [89.106.65.100] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756956/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"njpv91f5.eighteenshuga.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756968/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c1js1obl.eighteenshuga.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756967/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bst.jhotpot.com.bd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756965/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bst.cricket-matters.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756966/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bst.jhotpot.com.bd"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756963/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bst.cricket-matters.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756964/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756964; rev:1;) alert tcp $HOME_NET any -> [16.112.189.111] 56020 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756962/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756962; rev:1;) alert tcp $HOME_NET any -> [91.202.233.57] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756961/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756961; rev:1;) alert tcp $HOME_NET any -> [47.84.31.220] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756960/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756960; rev:1;) alert tcp $HOME_NET any -> [8.162.1.240] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756959/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lpmdiseno.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756958/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"montefer.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756957/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756957; rev:1;) alert tcp $HOME_NET any -> [104.243.248.63] 1801 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756955/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7f4d.js"; depth:8; nocase; http.host; content:"achandograca.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756945/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"achandograca.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756946/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"achandograca.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756947/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756947; rev:1;) alert tcp $HOME_NET any -> [89.106.65.100] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756735/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756735; rev:1;) alert tcp $HOME_NET any -> [89.106.65.100] 34567 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756745/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756745; rev:1;) alert tcp $HOME_NET any -> [103.54.153.177] 60195 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756838/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756838; rev:1;) alert tcp $HOME_NET any -> [89.106.65.100] 9034 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756854/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.234"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756855/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.129"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756856/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unease-liens.with.playit.plus"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756944/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756944; rev:1;) alert tcp $HOME_NET any -> [94.154.32.18] 8383 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756943/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teensuicide-48670.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756942/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fm.radio.fm"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756937/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icbd.co.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756938/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"katana.jp.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756939/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"libell.jp.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756940/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xbqj.sa.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756941/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uit.co.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756935/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usk.co.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756936/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auif.sa.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756931/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ausieslots.za.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756932/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emfoot.sa.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756933/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mystery.co.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756934/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"au88.gr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756929/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"au88.jp.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756930/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"edition-daily.sa.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756928/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zoolatours.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756919/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zestsolar.pt"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756920/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"viraghagymafesztival.hu"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756921/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"videoo.fit"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756922/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"toyama-housenavi.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756923/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"toolspro.su"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756924/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"traqc.net"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756925/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sleeve.diamantflex.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756926/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ragdoll-blog.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756927/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aksafil.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756903/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"africaexports.click"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756904/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cavallotech.de.businessecontact.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756905/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cammy-freelance.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756906/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cpcontacts.centrocirugiaplastica.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756907/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"edgenroots.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756908/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gia5.ru"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756909/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hitokara-kishin.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756910/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"horodniany.pl"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756911/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lafabri-k.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756912/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.e1staffingandrecruiting.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756913/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.mamahdannirwana.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756914/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kinugort.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756915/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mebelinki.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756916/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wp.retirevillage.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756917/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"saboresdomalte.com.br"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756918/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"goldnews24h.com.yemint.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756885/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"funpasta.webdevlink.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756886/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"willlog7.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756887/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wehouse.au"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756888/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tenabl.io"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756889/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"visa.ourdubaitravel.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756890/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sales.activemedicaresolutions.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756891/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nouralhalaby.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756892/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"newsite.jacquiejordan.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756893/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.diskopumkm-minahasa.my.id"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756894/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.istar-vip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756895/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"securelearn.co"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756896/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"senioryuyu.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756897/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wurk.africa"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756898/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.panorama-g.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756899/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.domonova.co.ao"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756900/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"3iss-online.3iss-online.com.br"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756901/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"99idesign.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756902/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.castlefordlocksmiths.co.uk"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756866/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.fundacion-primavera.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756867/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mcash.trumpcode.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756868/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.kalantarilaw.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756869/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sos-ch-gva-2.exo.io"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756870/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"walwood.be"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756871/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"inheritance-claims-portal-32792.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756872/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"goansgsr.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756873/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"verify-slack.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756874/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"socheaphost.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756875/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dblanka.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756876/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"digiskillzz.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756877/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gatepass-corp.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756878/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"binadata.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756879/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"admin.ilygold.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756880/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"asgwellness.korrakang.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756881/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"demo14.netbazaarbd.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756882/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ddledu.dev.sugaweb.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756883/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"celik.bewapps.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756884/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"reviewloading.t3.storage.dev"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756859/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"customblindinstall.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756860/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"berlinphysiotherapie.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756861/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"arayapps.cl"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756862/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"catalogocanjefideliza.amsd.cl"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756863/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ceymox.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756864/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"coveney-ltd.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756865/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h977pm9s.judaspapal.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756858/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zgrmktug.judaspapal.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756857/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qnxzzwihawagrarx.globalgforce.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756853/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756853; rev:1;) alert tcp $HOME_NET any -> [23.163.0.24] 443 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756852/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756852; rev:1;) alert tcp $HOME_NET any -> [62.164.177.230] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756851/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756851; rev:1;) alert tcp $HOME_NET any -> [187.124.6.129] 443 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756850/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amowdwt.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756849/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saramoftah.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756848/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ej41ykw1.slobodaspang.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756847/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s4xq03z7.slobodaspang.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756846/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rapidfilevault1.homes"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756841/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rapidfilevault2.homes"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756842/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rapidfilevault3.homes"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756843/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rapidfilevault4.homes"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756844/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rapidfilevault5.homes"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756845/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1ewp"; depth:5; nocase; http.host; content:"107.175.206.36"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756840/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756840; rev:1;) alert tcp $HOME_NET any -> [107.175.206.36] 8866 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756839/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756839; rev:1;) alert tcp $HOME_NET any -> [5.189.189.14] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756837/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756837; rev:1;) alert tcp $HOME_NET any -> [58.244.40.227] 10001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756836/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756836; rev:1;) alert tcp $HOME_NET any -> [35.178.68.216] 18100 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756835/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756835; rev:1;) alert tcp $HOME_NET any -> [35.178.68.216] 7000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756833/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756833; rev:1;) alert tcp $HOME_NET any -> [35.178.68.216] 11000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756834/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756834; rev:1;) alert tcp $HOME_NET any -> [35.178.68.216] 950 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756832/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756832; rev:1;) alert tcp $HOME_NET any -> [51.17.22.44] 790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756830/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756830; rev:1;) alert tcp $HOME_NET any -> [95.40.107.121] 4679 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756831/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756831; rev:1;) alert tcp $HOME_NET any -> [168.245.203.76] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756828/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756828; rev:1;) alert tcp $HOME_NET any -> [103.177.46.19] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756829/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756829; rev:1;) alert tcp $HOME_NET any -> [168.245.203.38] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756827/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756827; rev:1;) alert tcp $HOME_NET any -> [45.76.48.155] 4321 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756826/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756826; rev:1;) alert tcp $HOME_NET any -> [94.154.32.153] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756825/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756825; rev:1;) alert tcp $HOME_NET any -> [80.71.224.166] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756824/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756824; rev:1;) alert tcp $HOME_NET any -> [37.119.171.241] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756823/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756823; rev:1;) alert tcp $HOME_NET any -> [45.38.42.197] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756822/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756822; rev:1;) alert tcp $HOME_NET any -> [64.225.123.12] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756821/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756821; rev:1;) alert tcp $HOME_NET any -> [93.198.178.134] 82 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756820/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756820; rev:1;) alert tcp $HOME_NET any -> [88.210.13.112] 25565 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756819/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756819; rev:1;) alert tcp $HOME_NET any -> [130.51.23.168] 25565 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756818/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756818; rev:1;) alert tcp $HOME_NET any -> [50.114.206.110] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756817/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756817; rev:1;) alert tcp $HOME_NET any -> [113.192.61.4] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756816/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756816; rev:1;) alert tcp $HOME_NET any -> [171.236.84.112] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756815/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756815; rev:1;) alert tcp $HOME_NET any -> [187.124.1.63] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756813/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756813; rev:1;) alert tcp $HOME_NET any -> [65.0.58.184] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756814/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756814; rev:1;) alert tcp $HOME_NET any -> [94.181.229.245] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756812/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756812; rev:1;) alert tcp $HOME_NET any -> [45.139.104.161] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756810/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756810; rev:1;) alert tcp $HOME_NET any -> [62.60.226.168] 2222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756811/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.lqakk1dg.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756808/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mlicguwa.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756809/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.u31jq3of.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756806/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.lepx7nf8.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756807/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.qplzc7af.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756805/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.pyjdhaie.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756803/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.i7nf86tz.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756804/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ysrmrhon.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756802/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.w62le3kb.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756800/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.unokb9vc.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756801/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.qqpw0z0r.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756799/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.yw4ufrqo.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756798/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.o8w9i1r0.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756797/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.uchvqxc8.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756796/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.pvoiv6vk.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756795/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nfokam9i.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756794/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756794; rev:1;) alert tcp $HOME_NET any -> [31.59.139.31] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756793/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756793; rev:1;) alert tcp $HOME_NET any -> [91.84.123.250] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756792/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756792; rev:1;) alert tcp $HOME_NET any -> [143.198.186.90] 38656 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756791/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756791; rev:1;) alert tcp $HOME_NET any -> [163.172.39.176] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756790/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756790; rev:1;) alert tcp $HOME_NET any -> [149.50.96.57] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756789/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756789; rev:1;) alert tcp $HOME_NET any -> [5.101.86.53] 2428 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756788/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756788; rev:1;) alert tcp $HOME_NET any -> [172.94.100.226] 29811 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756786/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756786; rev:1;) alert tcp $HOME_NET any -> [185.221.215.196] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756787/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756787; rev:1;) alert tcp $HOME_NET any -> [5.101.86.24] 2428 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756785/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756785; rev:1;) alert tcp $HOME_NET any -> [130.12.181.40] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756784/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756784; rev:1;) alert tcp $HOME_NET any -> [93.127.138.239] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756783/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756783; rev:1;) alert tcp $HOME_NET any -> [27.124.21.96] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756782/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756782; rev:1;) alert tcp $HOME_NET any -> [38.175.200.150] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756781/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756781; rev:1;) alert tcp $HOME_NET any -> [103.39.16.252] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756780/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756780; rev:1;) alert tcp $HOME_NET any -> [103.39.16.250] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756778/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756778; rev:1;) alert tcp $HOME_NET any -> [43.240.239.254] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756779/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756779; rev:1;) alert tcp $HOME_NET any -> [103.39.16.235] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756776/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756776; rev:1;) alert tcp $HOME_NET any -> [103.39.16.226] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756777/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756777; rev:1;) alert tcp $HOME_NET any -> [80.97.160.68] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756774/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756774; rev:1;) alert tcp $HOME_NET any -> [103.39.16.232] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756775/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756775; rev:1;) alert tcp $HOME_NET any -> [103.39.16.247] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756772/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756772; rev:1;) alert tcp $HOME_NET any -> [103.39.16.229] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756773/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756773; rev:1;) alert tcp $HOME_NET any -> [103.39.16.243] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756771/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756771; rev:1;) alert tcp $HOME_NET any -> [47.107.139.30] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756770/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756770; rev:1;) alert tcp $HOME_NET any -> [103.39.16.238] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756769/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756769; rev:1;) alert tcp $HOME_NET any -> [103.39.16.248] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756768/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756768; rev:1;) alert tcp $HOME_NET any -> [103.39.16.237] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756767/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756767; rev:1;) alert tcp $HOME_NET any -> [103.39.16.236] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756766/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756766; rev:1;) alert tcp $HOME_NET any -> [103.39.16.246] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756764/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756764; rev:1;) alert tcp $HOME_NET any -> [103.39.16.240] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756765/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756765; rev:1;) alert tcp $HOME_NET any -> [103.39.16.227] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756761/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756761; rev:1;) alert tcp $HOME_NET any -> [103.39.16.254] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756762/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756762; rev:1;) alert tcp $HOME_NET any -> [103.39.16.244] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756763/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756763; rev:1;) alert tcp $HOME_NET any -> [176.191.216.232] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756759/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756759; rev:1;) alert tcp $HOME_NET any -> [103.39.16.242] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756760/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756760; rev:1;) alert tcp $HOME_NET any -> [103.39.16.231] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756758/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756758; rev:1;) alert tcp $HOME_NET any -> [23.235.177.9] 23761 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756757/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756757; rev:1;) alert tcp $HOME_NET any -> [103.39.16.253] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756756/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756756; rev:1;) alert tcp $HOME_NET any -> [103.39.16.230] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756753/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756753; rev:1;) alert tcp $HOME_NET any -> [103.39.16.225] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756754/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756754; rev:1;) alert tcp $HOME_NET any -> [103.39.16.239] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756755/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756755; rev:1;) alert tcp $HOME_NET any -> [103.39.16.249] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756751/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756751; rev:1;) alert tcp $HOME_NET any -> [103.39.16.234] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756752/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756752; rev:1;) alert tcp $HOME_NET any -> [103.39.16.228] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756749/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756749; rev:1;) alert tcp $HOME_NET any -> [103.39.16.233] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756750/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756750; rev:1;) alert tcp $HOME_NET any -> [103.39.16.245] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756748/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756748; rev:1;) alert tcp $HOME_NET any -> [103.44.90.113] 46513 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756746/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756746; rev:1;) alert tcp $HOME_NET any -> [103.39.16.251] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756747/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756747; rev:1;) alert tcp $HOME_NET any -> [47.242.153.43] 443 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756744/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756744; rev:1;) alert tcp $HOME_NET any -> [47.242.153.43] 8443 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756743/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdp.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756742/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mwtinting.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756741/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dianganadores.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756740/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"merafondeur.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756739/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jxx0qj1x.lickunsung.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756738/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zs5a7k6f.lickunsung.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756737/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"muuseum.tostamaa.ee"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756736/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756736; rev:1;) alert tcp $HOME_NET any -> [82.158.88.101] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756734/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756734; rev:1;) alert tcp $HOME_NET any -> [172.245.246.91] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756733/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756733; rev:1;) alert tcp $HOME_NET any -> [130.12.181.39] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756732/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"55gamee.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756731/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mutternetz.de"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756729/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mustbemolly.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756728/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blyatblyatblyatblyatblyat.icu"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756727/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dnvigv97.comedianmental.digital"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756726/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vudydhue.comedianmental.digital"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756725/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756725; rev:1;) alert tcp $HOME_NET any -> [89.106.65.100] 5555 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756717/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.delmontoyalogisticsllc2.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756724/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.delmontoyalogisticsllc1.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756723/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.delmontoyalogisticsllc.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756722/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"che.jhotpot.com.bd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756720/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"che.cricket-matters.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756721/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"che.jhotpot.com.bd"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756718/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"che.cricket-matters.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756719/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756719; rev:1;) alert tcp $HOME_NET any -> [104.243.248.63] 1800 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756716/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"6nfk1oop2kry.xszc666.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756714/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"j7mki8.b3h5n3c0.work"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1756715/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756715; rev:1;) alert tcp $HOME_NET any -> [45.139.104.209] 56002 (msg:"ThreatFox PureRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756713/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756713; rev:1;) alert tcp $HOME_NET any -> [74.0.48.25] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756702/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756702; rev:1;) alert tcp $HOME_NET any -> [89.167.51.54] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756703/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756703; rev:1;) alert tcp $HOME_NET any -> [74.0.48.135] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756704/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756704; rev:1;) alert tcp $HOME_NET any -> [74.0.48.55] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756705/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756705; rev:1;) alert tcp $HOME_NET any -> [74.0.48.183] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756706/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756706; rev:1;) alert tcp $HOME_NET any -> [74.0.32.197] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756707/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756707; rev:1;) alert tcp $HOME_NET any -> [74.0.32.233] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756708/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756708; rev:1;) alert tcp $HOME_NET any -> [207.180.58.177] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756709/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756709; rev:1;) alert tcp $HOME_NET any -> [74.0.48.140] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756710/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756710; rev:1;) alert tcp $HOME_NET any -> [138.226.237.185] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756711/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756711; rev:1;) alert tcp $HOME_NET any -> [135.181.117.114] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756712/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756712; rev:1;) alert tcp $HOME_NET any -> [74.0.48.26] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756691/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756691; rev:1;) alert tcp $HOME_NET any -> [91.99.21.118] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756692/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756692; rev:1;) alert tcp $HOME_NET any -> [91.99.163.84] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756693/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756693; rev:1;) alert tcp $HOME_NET any -> [95.217.50.16] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756694/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756694; rev:1;) alert tcp $HOME_NET any -> [138.226.237.195] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756695/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756695; rev:1;) alert tcp $HOME_NET any -> [95.216.251.53] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756696/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756696; rev:1;) alert tcp $HOME_NET any -> [207.180.58.180] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756697/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756697; rev:1;) alert tcp $HOME_NET any -> [77.42.49.74] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756698/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756698; rev:1;) alert tcp $HOME_NET any -> [74.0.48.62] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756699/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756699; rev:1;) alert tcp $HOME_NET any -> [95.216.251.52] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756700/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756700; rev:1;) alert tcp $HOME_NET any -> [65.108.21.223] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756701/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756701; rev:1;) alert tcp $HOME_NET any -> [95.216.251.55] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756682/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756682; rev:1;) alert tcp $HOME_NET any -> [95.217.50.17] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756683/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756683; rev:1;) alert tcp $HOME_NET any -> [74.0.32.131] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756684/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756684; rev:1;) alert tcp $HOME_NET any -> [74.0.32.127] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756685/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756685; rev:1;) alert tcp $HOME_NET any -> [74.0.42.183] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756686/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756686; rev:1;) alert tcp $HOME_NET any -> [74.0.32.81] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756687/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756687; rev:1;) alert tcp $HOME_NET any -> [46.225.128.252] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756688/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756688; rev:1;) alert tcp $HOME_NET any -> [95.216.251.51] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756689/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756689; rev:1;) alert tcp $HOME_NET any -> [46.225.140.51] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756690/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sps.jhotpot.com.bd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756673/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gtp.jhotpot.com.bd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756674/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ctl.jhotpot.com.bd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756675/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goo.cricket-matters.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756676/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bis.cricket-matters.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756677/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ttt.cricket-matters.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756678/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wib.cricket-matters.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756679/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gtp.cricket-matters.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756680/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ctl.cricket-matters.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756681/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ctl.it-bd.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756664/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ctl.cardiffphysio.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756665/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hro.it-bd.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756666/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hro.cardiffphysio.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756667/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pay.it-bd.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756668/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pay.cardiffphysio.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756669/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bis.jhotpot.com.bd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756670/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goo.jhotpot.com.bd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756671/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wib.jhotpot.com.bd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756672/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.233"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756660/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"207.180.58.177"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756661/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.48.140"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756662/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"138.226.237.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756663/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.108.21.223"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756654/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"89.167.51.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756655/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.48.135"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756656/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.48.55"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756657/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.48.183"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756658/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.197"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756659/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"138.226.237.195"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756648/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.251.53"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756649/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"207.180.58.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756650/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"77.42.49.74"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756651/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.48.62"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756652/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.251.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756653/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.225.128.252"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756642/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.251.51"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756643/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.225.140.51"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756644/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.48.26"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756645/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.99.21.118"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756646/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.50.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756647/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.251.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756637/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.50.17"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756638/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.131"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756639/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.127"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756640/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.81"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756641/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ctl.jhotpot.com.bd"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756629/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"goo.cricket-matters.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756630/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bis.cricket-matters.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756631/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ttt.cricket-matters.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756632/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wib.cricket-matters.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756633/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sps.cricket-matters.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756634/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gtp.cricket-matters.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756635/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ctl.cricket-matters.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756636/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ctl.it-bd.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756622/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ctl.cardiffphysio.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756623/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bis.jhotpot.com.bd"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756624/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"goo.jhotpot.com.bd"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756625/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wib.jhotpot.com.bd"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756626/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sps.jhotpot.com.bd"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756627/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gtp.jhotpot.com.bd"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756628/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561198733506974"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756617/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pay.it-bd.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756618/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pay.cardiffphysio.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756619/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hro.it-bd.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756620/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hro.cardiffphysio.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756621/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756621; rev:1;) alert tcp $HOME_NET any -> [89.106.65.100] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756608/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756608; rev:1;) alert tcp $HOME_NET any -> [91.92.243.47] 7004 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756615/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756615; rev:1;) alert tcp $HOME_NET any -> [23.94.99.174] 8081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756616/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756616; rev:1;) alert tcp $HOME_NET any -> [23.94.99.174] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756614/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756614; rev:1;) alert tcp $HOME_NET any -> [91.92.241.10] 8880 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756613/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"niggerniggerniggerniggerniggernigger.icu"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756612/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ofegofo.biz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756611/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m0r5hl"; depth:7; nocase; http.host; content:"telegram.me"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756610/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sps.cricket-matters.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756609/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wpc99gxs.immunizeoot.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756607/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"406nf3za.immunizeoot.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756606/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756606; rev:1;) alert tcp $HOME_NET any -> [45.94.31.59] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756605/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bootstrap.jqu3ry.cfd"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756604/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756604; rev:1;) alert tcp $HOME_NET any -> [176.65.132.10] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756603/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/rq7ymk0w"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756602/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"free-represents.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756601/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"imsorrydidhejustsayhislastnameisburgur.vietnamddns.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756600/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756600; rev:1;) alert tcp $HOME_NET any -> [104.21.63.144] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756596/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756596; rev:1;) alert tcp $HOME_NET any -> [172.67.146.169] 4782 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756597/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756597; rev:1;) alert tcp $HOME_NET any -> [172.67.146.169] 6060 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756598/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756598; rev:1;) alert tcp $HOME_NET any -> [172.67.146.169] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756599/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756599; rev:1;) alert tcp $HOME_NET any -> [104.21.63.144] 4782 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756594/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756594; rev:1;) alert tcp $HOME_NET any -> [104.21.63.144] 6060 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756595/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"73bet.app"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756592/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"km-ok365.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756593/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"anonymous5334.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756591/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756591; rev:1;) alert tcp $HOME_NET any -> [77.238.228.60] 443 (msg:"ThreatFox Amatera botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756590/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756590; rev:1;) alert tcp $HOME_NET any -> [185.121.235.118] 443 (msg:"ThreatFox Amatera botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756589/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"townquiver.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756588/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756588; rev:1;) alert tcp $HOME_NET any -> [192.52.242.73] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756587/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"passengerbrake.space"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756586/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bagcare.space"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756583/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gunbear.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756584/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"birthdaymagic.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756585/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"20t2lqnx.grosstable.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756582/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7lj1il64.grosstable.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756581/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756581; rev:1;) alert tcp $HOME_NET any -> [150.241.73.11] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756579/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756579; rev:1;) alert tcp $HOME_NET any -> [59.110.166.104] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756580/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756580; rev:1;) alert tcp $HOME_NET any -> [1.94.186.19] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756578/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756578; rev:1;) alert tcp $HOME_NET any -> [180.76.111.89] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756577/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lomboking.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756576/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"logspot.aktuel.cloud"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756575/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"78smp.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756397/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756397; rev:1;) alert tcp $HOME_NET any -> [137.184.215.213] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756449/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"satanc2.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756461/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_02; classtype:trojan-activity; sid:91756461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.48.25"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756482/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ciatranoler.za.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756571/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fb88i.dev"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756572/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rpv.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756573/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wifi.eu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756574/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"multicanaltvcali.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756570/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756570; rev:1;) alert tcp $HOME_NET any -> [47.239.240.171] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756569/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"muhancorp.gabia.io"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756568/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mugsandpuddles.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756567/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juggle.it.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756566/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"intercontinentalphuquoc.vn"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756564/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vgsshop.vn"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756563/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"er0dbme.uk.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756562/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756562; rev:1;) alert tcp $HOME_NET any -> [31.57.216.44] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756561/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bksrvcs.sbs"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756558/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"confirmation-reserv.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756559/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heuenis.direct.quickconnect.to"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756560/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"videorecruitpro.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756546/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vidhirehub.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756547/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zenspiretech.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756548/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smartdriverfix.cloud"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756549/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webcamdrivers.cloud"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756550/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webcamwizard.cloud"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756551/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"camdriversupport.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756552/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"camera-drive.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756553/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"camtechdrivers.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756554/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"drivercams.cloud"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756555/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"drive-release.cloud"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756556/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"web-cam.cloud"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756557/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"devchallengehq.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756520/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"evalassesso.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756521/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"evalswift.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756522/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quickskill-review.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756523/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jobinterview360.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756524/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"livehirehub.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756525/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"talenthiring360.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756526/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quickassessio.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756527/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quickhire360.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756528/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quickinterview360.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756529/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eskillprof.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756530/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"evalvidz.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756531/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"intervwolf.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756532/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vidcruiterinterview.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756533/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vidcruitermaster.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756534/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vidintermaster.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756535/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"skillhiretrack.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756536/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"skillprooflab.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756537/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"talentcheck.pro"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756538/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"talentsnaptest.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756539/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"talentview360.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756540/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"test-wolf.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756541/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"toptalentassess.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756542/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ugethired360.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756543/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vidassess360.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756544/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vidassesspro.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756545/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vid-crypto-assess.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756511/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"assessiohq.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756512/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blockassess.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756513/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blockchainjobassessment.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756514/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blockchainjobhub.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756515/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"candidateinsightinfo.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756516/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"coinbase-walet.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756517/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"coinbase-walet.me"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756518/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"competency-core.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756519/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_02; classtype:trojan-activity; sid:91756519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"msicpl.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756510/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"msi.marketstockindo.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756509/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ms-landtechnik.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756508/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mrpc.pramnos.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756507/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mrbdl.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756506/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mradsafety.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756505/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"movetorecover.be"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756504/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mount-atlas.de"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756503/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756503; rev:1;) alert tcp $HOME_NET any -> [156.239.225.187] 44550 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756502/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_02; classtype:trojan-activity; sid:91756502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mothersmotivatingmothers.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756501/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mosqueraygomezabogados.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756500/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceee.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756499/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"february-authors.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756497/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"integral2048-47645.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756498/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756498; rev:1;) alert tcp $HOME_NET any -> [185.174.138.229] 1177 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756496/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ph88game.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756495/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qusezc.sa.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756494/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moxi.it.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756493/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deporte.radio.fm"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756492/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medicalresearch.za.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756491/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"childreninachangingclimate.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756490/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mortgagealliance.co.uk"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756489/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"msi-us.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756488/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mori-bankin.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756487/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"morgans-construction.nitrolic.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756486/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"morganhillmarblepolishing.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756485/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"morfometal.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756484/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mop.gr"; depth:6; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756483/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moonstonedesignare.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756481/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moonlightmakers.ie"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756480/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maximoenergiasolar.com.br"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756479/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"montybaecker.de"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756478/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"montgomerypoolservices.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756477/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"montclairholistic.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756476/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sunwin10.de.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756475/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doll.us.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756470/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fryd.us.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756471/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"in2it.uk.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756472/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lima.us.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756473/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"n188.best"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756474/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xn--vcktcwa4eh.jpn.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756468/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zx88.de.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756469/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ax88.day"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756464/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcj.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756465/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mushroomgummies.us.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756466/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xn--eckvaae8v6bolb0cyf.jpn.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756467/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"montagne-emotion.fr"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756463/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"montagnaitalia.it"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756462/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"monom.cc"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756460/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"monokerka.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756459/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"monnier.com.br"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756458/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756458; rev:1;) alert tcp $HOME_NET any -> [5.83.128.112] 3333 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756457/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756457; rev:1;) alert tcp $HOME_NET any -> [5.83.128.112] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756456/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mans.it.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756455/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.deltasteel.za.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756454/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.deltasteel.za.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756453/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.oligoter403.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756452/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"monicaskincareinc.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756451/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"monferratorugby.it"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756450/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"absofrigginlutely.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756448/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"christianmichaelcurrent.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756447/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aylakkarga.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756446/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"charlestonurbanite.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756445/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"davidbarrio.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756444/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"centroysur.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756443/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"desiweddingphotography.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756442/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"money.mygermanphone.de"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756441/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yessurf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756440/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cleverdigitallabs.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756439/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"patrickscodelab.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756438/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tmt.ydns.eu"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756437/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yarnislife.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756436/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fortunesheet.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756435/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gottabelegend.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756434/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"goldengirlxena.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756433/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agfaireland.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756432/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"phiwheel.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756431/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756431; rev:1;) alert tcp $HOME_NET any -> [147.124.219.156] 31202 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756430/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"beijinginhd.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756429/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"baseballaccelerator.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756428/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"polledanswer.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756427/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"acomoeldolar.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756426/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bitcoinisthebettermoney.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756425/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chestcalm.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756424/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756424; rev:1;) alert tcp $HOME_NET any -> [172.111.232.233] 1771 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756423/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"datayotta.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756422/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chrismaire.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756421/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"monetgestaofinanceira.com.br"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756420/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tea-and-pencils.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756419/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"projectkyle.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756418/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"abuujo.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756417/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dartbanks.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756416/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"beloads.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756415/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"radiyana.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756414/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tomstatas.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756413/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"griffinbone.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756412/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tryyourselfs.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756411/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mommywantscoffee.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756410/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baxe.pics"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756408/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vinte.online"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756409/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.zip"; depth:9; nocase; http.host; content:"basennwrpin.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756407/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"basennwrpin.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756406/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/configpack.zip"; depth:15; nocase; http.host; content:"basennwrpin.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756405/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.php"; depth:9; nocase; http.host; content:"basennwrpin.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756404/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server.php"; depth:11; nocase; http.host; content:"basennwrpin.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756403/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/helpu.php"; depth:10; nocase; http.host; content:"basennwrpin.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756402/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"basennwrpin.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756401/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moldes1dollar.creamodashop.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756400/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mohamedismail.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756399/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mofonguitoshouse.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756398/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756398; rev:1;) alert tcp $HOME_NET any -> [111.170.36.160] 8585 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756396/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vortexdataserver1.mom"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756391/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vortexdataserver2.mom"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756392/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vortexdataserver3.mom"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756393/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vortexdataserver4.mom"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756394/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vortexdataserver5.mom"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756395/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756395; rev:1;) alert tcp $HOME_NET any -> [45.76.48.155] 443 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756390/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brajasas35safael1.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756384/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brajasas35safael2.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756385/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brajasas35safael3.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756386/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brajasas35safael4.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756387/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brajasas35safael5.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756388/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brajasas35safael6.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756389/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756389; rev:1;) alert tcp $HOME_NET any -> [74.0.32.6] 3000 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756383/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vnm2ey0a.coldglass.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756381/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ac2fhy11.coldglass.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756380/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756380; rev:1;) alert tcp $HOME_NET any -> [194.76.226.162] 7673 (msg:"ThreatFox CountLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756379/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756379; rev:1;) alert tcp $HOME_NET any -> [23.82.125.197] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756359/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756359; rev:1;) alert tcp $HOME_NET any -> [148.251.2.151] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756360/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756360; rev:1;) alert tcp $HOME_NET any -> [172.94.9.97] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756362/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756362; rev:1;) alert tcp $HOME_NET any -> [5.252.177.67] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756364/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756364; rev:1;) alert tcp $HOME_NET any -> [89.46.38.86] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756363/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756363; rev:1;) alert tcp $HOME_NET any -> [5.223.48.229] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756365/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756365; rev:1;) alert tcp $HOME_NET any -> [134.195.90.181] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756366/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756366; rev:1;) alert tcp $HOME_NET any -> [166.1.209.39] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756367/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756367; rev:1;) alert tcp $HOME_NET any -> [193.233.126.26] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756368/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756368; rev:1;) alert tcp $HOME_NET any -> [176.65.132.97] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756361/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756361; rev:1;) alert tcp $HOME_NET any -> [23.94.252.172] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756357/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756357; rev:1;) alert tcp $HOME_NET any -> [146.103.105.118] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756358/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756358; rev:1;) alert tcp $HOME_NET any -> [84.201.20.184] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756354/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756354; rev:1;) alert tcp $HOME_NET any -> [78.46.40.151] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756353/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756353; rev:1;) alert tcp $HOME_NET any -> [83.217.208.83] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756355/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756355; rev:1;) alert tcp $HOME_NET any -> [77.91.65.48] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756356/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756356; rev:1;) alert tcp $HOME_NET any -> [80.89.224.19] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756352/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"repo.healthyhubtoday.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756343/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cheapeboobler.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756344/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756344; rev:1;) alert tcp $HOME_NET any -> [64.227.37.151] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756349/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.42.183"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756341/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"135.181.117.114"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756342/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756342; rev:1;) alert tcp $HOME_NET any -> [171.22.181.114] 38990 (msg:"ThreatFox Pink botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756333/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756333; rev:1;) alert tcp $HOME_NET any -> [104.236.8.154] 38925 (msg:"ThreatFox Unknown Stealer botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756332/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deceptqower.onfinality.pro"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756311/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adb8a56294dadf33644cb54a090cb9f6/folgk.bvqd"; depth:44; nocase; http.host; content:"deceptqower.onfinality.pro"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756310/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756310; rev:1;) alert tcp $HOME_NET any -> [194.33.61.150] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756369/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756369; rev:1;) alert tcp $HOME_NET any -> [138.124.115.16] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756373/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756373; rev:1;) alert tcp $HOME_NET any -> [213.176.77.253] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756370/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756370; rev:1;) alert tcp $HOME_NET any -> [62.60.246.166] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756371/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756371; rev:1;) alert tcp $HOME_NET any -> [78.46.40.157] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756372/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756372; rev:1;) alert tcp $HOME_NET any -> [45.249.90.215] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756374/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756374; rev:1;) alert tcp $HOME_NET any -> [64.188.106.181] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756375/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"coco2-hram.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756376/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"modernrefrigeration.ca"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756378/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"modernenglishclasses.co"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756377/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"modelo.yellowhello.com.br"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756351/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"modart-friseure.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756350/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mocdaan.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756348/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r3ulx0ht.vivaldicoke.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756347/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mobichok.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756346/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ym0p657h.vivaldicoke.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756345/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756345; rev:1;) alert tcp $HOME_NET any -> [111.229.157.84] 8878 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756338/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756338; rev:1;) alert tcp $HOME_NET any -> [111.229.157.84] 8887 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756339/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756339; rev:1;) alert tcp $HOME_NET any -> [111.229.157.84] 9987 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756340/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756340; rev:1;) alert tcp $HOME_NET any -> [16.59.25.41] 1200 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756336/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756336; rev:1;) alert tcp $HOME_NET any -> [16.59.25.41] 7000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756337/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756337; rev:1;) alert tcp $HOME_NET any -> [56.112.22.230] 31766 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756335/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756335; rev:1;) alert tcp $HOME_NET any -> [45.153.34.23] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756334/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hlgzssmbz.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756331/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756331; rev:1;) alert tcp $HOME_NET any -> [151.241.154.244] 80 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756330/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756330; rev:1;) alert tcp $HOME_NET any -> [102.158.228.15] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756329/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756329; rev:1;) alert tcp $HOME_NET any -> [43.153.117.231] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756328/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5tdxu.sa.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756322/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conciathumli.za.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756323/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iop2.ru.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756324/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mil-jtf.sa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756325/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sunwinn.sa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756326/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zx88.tech"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756327/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snapshop.in.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756321/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"innovate.uk.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756319/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quibrigalqui.za.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756320/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756320; rev:1;) alert tcp $HOME_NET any -> [203.91.74.229] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756318/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mkz.bayaderagroup.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756317/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mkwordpress.azurewebsites.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756316/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"f2vwg20bnfcrr.cfc-execute.bj.baidubce.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756315/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mkoehler.de"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756314/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y6ryee05.edgemirinda.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756313/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qf1ew8su.edgemirinda.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756312/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mitselwier.nl"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756309/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mister-agency.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756308/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756308; rev:1;) alert tcp $HOME_NET any -> [95.164.53.176] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756307/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756307; rev:1;) alert tcp $HOME_NET any -> [52.223.7.108] 8127 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756306/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756306; rev:1;) alert tcp $HOME_NET any -> [162.141.117.43] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756305/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91756305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"missone.z-1.tokyo"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756304/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"beyondset.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756303/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"efebudaktr.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756302/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756302; rev:1;) alert tcp $HOME_NET any -> [198.23.175.51] 4079 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756301/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"888now.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756292/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"888top7.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756293/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"beehive.it.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756294/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mv88.game"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756295/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mv88.it.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756296/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"record.co.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756297/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"shoemaker.jp.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756298/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"w188.cheap"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756299/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"weuy.sa.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756300/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756300; rev:1;) alert tcp $HOME_NET any -> [104.21.7.102] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756284/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756284; rev:1;) alert tcp $HOME_NET any -> [172.67.130.27] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756286/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756286; rev:1;) alert tcp $HOME_NET any -> [172.67.130.27] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756287/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756287; rev:1;) alert tcp $HOME_NET any -> [172.67.130.27] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756288/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756288; rev:1;) alert tcp $HOME_NET any -> [172.67.130.27] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756289/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756289; rev:1;) alert tcp $HOME_NET any -> [172.67.130.27] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756290/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756290; rev:1;) alert tcp $HOME_NET any -> [172.67.130.27] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756291/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756291; rev:1;) alert tcp $HOME_NET any -> [104.21.7.102] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756279/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756279; rev:1;) alert tcp $HOME_NET any -> [104.21.7.102] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756280/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756280; rev:1;) alert tcp $HOME_NET any -> [104.21.7.102] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756281/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756281; rev:1;) alert tcp $HOME_NET any -> [104.21.7.102] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756282/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756282; rev:1;) alert tcp $HOME_NET any -> [104.21.7.102] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756283/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"numqcf.za.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756268/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ppu.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756269/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rgihtl.sa.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756270/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sat.cn.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756271/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"talion.it.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756272/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"th99.cn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756273/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"trk.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756274/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ugroup.uk.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756275/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vii.eu.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756276/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"women-looking-for-men.us.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756277/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aishahbullock.ru.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756262/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"apple.ae.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756263/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bostoncollege.za.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756264/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"infohub.in.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756265/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"keto-gummies1.ru.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756266/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"m3m.in.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756267/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"alwinshop.cc"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756261/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"43.153.117.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756260/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5065bfaf5315fdfb.php"; depth:21; nocase; http.host; content:"5.75.232.223"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756259/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9f53354de2964d8b.php"; depth:21; nocase; http.host; content:"82.25.63.1"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756258/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756258; rev:1;) alert tcp $HOME_NET any -> [2.58.84.141] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756257/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756257; rev:1;) alert tcp $HOME_NET any -> [116.99.185.45] 8889 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756256/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756256; rev:1;) alert tcp $HOME_NET any -> [66.154.117.64] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756254/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756254; rev:1;) alert tcp $HOME_NET any -> [109.100.140.46] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756255/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756255; rev:1;) alert tcp $HOME_NET any -> [102.117.160.67] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756253/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756253; rev:1;) alert tcp $HOME_NET any -> [104.208.24.64] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756250/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756250; rev:1;) alert tcp $HOME_NET any -> [52.44.43.202] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756251/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756251; rev:1;) alert tcp $HOME_NET any -> [204.10.216.12] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756252/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756252; rev:1;) alert tcp $HOME_NET any -> [212.193.31.202] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756249/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756249; rev:1;) alert tcp $HOME_NET any -> [151.59.44.195] 8080 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756247/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756247; rev:1;) alert tcp $HOME_NET any -> [193.24.123.74] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756248/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756248; rev:1;) alert tcp $HOME_NET any -> [144.124.232.70] 63210 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756246/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756246; rev:1;) alert tcp $HOME_NET any -> [62.172.138.41] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756243/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756243; rev:1;) alert tcp $HOME_NET any -> [54.64.233.19] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756244/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756244; rev:1;) alert tcp $HOME_NET any -> [219.100.168.210] 80 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756245/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756245; rev:1;) alert tcp $HOME_NET any -> [62.221.192.204] 8443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756242/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756242; rev:1;) alert tcp $HOME_NET any -> [118.194.248.183] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756241/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756241; rev:1;) alert tcp $HOME_NET any -> [152.32.243.215] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756238/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756238; rev:1;) alert tcp $HOME_NET any -> [152.32.139.149] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756239/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756239; rev:1;) alert tcp $HOME_NET any -> [167.88.166.204] 443 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756240/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756240; rev:1;) alert tcp $HOME_NET any -> [118.193.69.19] 443 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756235/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756235; rev:1;) alert tcp $HOME_NET any -> [118.193.69.19] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756236/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756236; rev:1;) alert tcp $HOME_NET any -> [27.102.137.140] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756237/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756237; rev:1;) alert tcp $HOME_NET any -> [51.75.62.52] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756234/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756234; rev:1;) alert tcp $HOME_NET any -> [45.139.76.169] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756230/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756230; rev:1;) alert tcp $HOME_NET any -> [188.225.43.74] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756231/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756231; rev:1;) alert tcp $HOME_NET any -> [45.251.240.151] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756232/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756232; rev:1;) alert tcp $HOME_NET any -> [62.60.153.192] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756233/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756233; rev:1;) alert tcp $HOME_NET any -> [146.103.124.7] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756227/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756227; rev:1;) alert tcp $HOME_NET any -> [159.198.45.16] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756228/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756228; rev:1;) alert tcp $HOME_NET any -> [124.221.46.59] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756229/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756229; rev:1;) alert tcp $HOME_NET any -> [139.162.180.208] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756223/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756223; rev:1;) alert tcp $HOME_NET any -> [38.60.209.204] 1337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756224/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756224; rev:1;) alert tcp $HOME_NET any -> [62.171.166.237] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756225/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756225; rev:1;) alert tcp $HOME_NET any -> [46.225.168.157] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756226/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756226; rev:1;) alert tcp $HOME_NET any -> [46.37.123.16] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756220/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756220; rev:1;) alert tcp $HOME_NET any -> [144.172.117.82] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756221/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756221; rev:1;) alert tcp $HOME_NET any -> [87.106.187.97] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756222/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756222; rev:1;) alert tcp $HOME_NET any -> [164.92.108.19] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756218/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756218; rev:1;) alert tcp $HOME_NET any -> [146.190.153.31] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756219/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756219; rev:1;) alert tcp $HOME_NET any -> [54.220.117.204] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756216/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756216; rev:1;) alert tcp $HOME_NET any -> [52.200.205.228] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756217/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756217; rev:1;) alert tcp $HOME_NET any -> [141.227.188.226] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756214/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756214; rev:1;) alert tcp $HOME_NET any -> [35.226.91.167] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756215/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756215; rev:1;) alert tcp $HOME_NET any -> [54.173.168.122] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756213/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756213; rev:1;) alert tcp $HOME_NET any -> [135.181.151.113] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756211/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756211; rev:1;) alert tcp $HOME_NET any -> [141.227.188.226] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756212/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756212; rev:1;) alert tcp $HOME_NET any -> [18.116.2.157] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756210/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756210; rev:1;) alert tcp $HOME_NET any -> [8.138.0.26] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756208/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756208; rev:1;) alert tcp $HOME_NET any -> [42.112.116.168] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756209/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756209; rev:1;) alert tcp $HOME_NET any -> [114.55.100.176] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756205/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756205; rev:1;) alert tcp $HOME_NET any -> [104.207.157.24] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756206/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756206; rev:1;) alert tcp $HOME_NET any -> [223.254.128.112] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756207/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756207; rev:1;) alert tcp $HOME_NET any -> [149.28.10.10] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756202/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756202; rev:1;) alert tcp $HOME_NET any -> [103.97.177.120] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756203/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756203; rev:1;) alert tcp $HOME_NET any -> [49.212.143.246] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756204/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756204; rev:1;) alert tcp $HOME_NET any -> [16.78.3.206] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756200/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756200; rev:1;) alert tcp $HOME_NET any -> [47.117.180.240] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756201/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756201; rev:1;) alert tcp $HOME_NET any -> [154.37.219.245] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756198/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756198; rev:1;) alert tcp $HOME_NET any -> [59.110.221.22] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756199/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756199; rev:1;) alert tcp $HOME_NET any -> [106.52.115.119] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756197/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756197; rev:1;) alert tcp $HOME_NET any -> [172.245.45.74] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756194/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756194; rev:1;) alert tcp $HOME_NET any -> [101.33.199.146] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756195/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756195; rev:1;) alert tcp $HOME_NET any -> [103.143.230.17] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756196/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756196; rev:1;) alert tcp $HOME_NET any -> [39.97.3.110] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756191/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756191; rev:1;) alert tcp $HOME_NET any -> [47.251.77.225] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756192/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756192; rev:1;) alert tcp $HOME_NET any -> [43.161.238.54] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756193/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756193; rev:1;) alert tcp $HOME_NET any -> [41.221.194.233] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756189/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756189; rev:1;) alert tcp $HOME_NET any -> [149.28.9.83] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756190/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756190; rev:1;) alert tcp $HOME_NET any -> [38.146.29.63] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756186/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756186; rev:1;) alert tcp $HOME_NET any -> [27.150.169.68] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756187/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756187; rev:1;) alert tcp $HOME_NET any -> [121.199.28.80] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756188/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756188; rev:1;) alert tcp $HOME_NET any -> [39.101.131.231] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756184/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756184; rev:1;) alert tcp $HOME_NET any -> [8.140.255.31] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756185/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756185; rev:1;) alert tcp $HOME_NET any -> [104.238.153.249] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756181/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756181; rev:1;) alert tcp $HOME_NET any -> [144.202.121.189] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756182/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756182; rev:1;) alert tcp $HOME_NET any -> [49.232.215.228] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756183/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756183; rev:1;) alert tcp $HOME_NET any -> [43.160.204.217] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756180/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756180; rev:1;) alert tcp $HOME_NET any -> [8.218.237.228] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756179/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756179; rev:1;) alert tcp $HOME_NET any -> [121.40.126.60] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756175/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756175; rev:1;) alert tcp $HOME_NET any -> [39.106.8.249] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756176/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756176; rev:1;) alert tcp $HOME_NET any -> [47.116.114.93] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756177/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756177; rev:1;) alert tcp $HOME_NET any -> [47.105.227.72] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756174/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756174; rev:1;) alert tcp $HOME_NET any -> [81.68.129.242] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756171/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756171; rev:1;) alert tcp $HOME_NET any -> [47.94.136.17] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756172/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756172; rev:1;) alert tcp $HOME_NET any -> [199.188.109.7] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756173/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756173; rev:1;) alert tcp $HOME_NET any -> [172.174.38.81] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756168/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756168; rev:1;) alert tcp $HOME_NET any -> [8.138.122.109] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756169/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756169; rev:1;) alert tcp $HOME_NET any -> [13.251.198.28] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756170/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756170; rev:1;) alert tcp $HOME_NET any -> [45.64.52.235] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756166/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756166; rev:1;) alert tcp $HOME_NET any -> [101.200.90.191] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756167/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756167; rev:1;) alert tcp $HOME_NET any -> [47.83.165.246] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756163/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756163; rev:1;) alert tcp $HOME_NET any -> [45.64.52.237] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756164/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756164; rev:1;) alert tcp $HOME_NET any -> [149.248.15.25] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756165/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756165; rev:1;) alert tcp $HOME_NET any -> [47.99.92.6] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756160/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756160; rev:1;) alert tcp $HOME_NET any -> [39.107.121.220] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756161/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756161; rev:1;) alert tcp $HOME_NET any -> [115.190.217.69] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756162/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756162; rev:1;) alert tcp $HOME_NET any -> [39.106.57.170] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756159/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756159; rev:1;) alert tcp $HOME_NET any -> [116.62.142.146] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756156/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756156; rev:1;) alert tcp $HOME_NET any -> [8.138.176.208] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756158/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756158; rev:1;) alert tcp $HOME_NET any -> [202.61.139.28] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756153/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756153; rev:1;) alert tcp $HOME_NET any -> [122.51.41.212] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756154/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756154; rev:1;) alert tcp $HOME_NET any -> [172.245.45.75] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756155/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756155; rev:1;) alert tcp $HOME_NET any -> [45.32.133.13] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756150/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756150; rev:1;) alert tcp $HOME_NET any -> [172.245.45.76] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756151/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756151; rev:1;) alert tcp $HOME_NET any -> [175.178.41.106] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756152/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756152; rev:1;) alert tcp $HOME_NET any -> [52.221.94.208] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756147/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756147; rev:1;) alert tcp $HOME_NET any -> [172.245.45.78] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756148/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756148; rev:1;) alert tcp $HOME_NET any -> [8.217.85.66] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756144/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756144; rev:1;) alert tcp $HOME_NET any -> [172.190.135.107] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756145/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756145; rev:1;) alert tcp $HOME_NET any -> [47.237.6.245] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756146/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756146; rev:1;) alert tcp $HOME_NET any -> [41.221.194.234] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756142/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756142; rev:1;) alert tcp $HOME_NET any -> [202.61.139.130] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756143/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756143; rev:1;) alert tcp $HOME_NET any -> [172.245.45.77] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756140/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756140; rev:1;) alert tcp $HOME_NET any -> [172.211.33.173] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756141/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756141; rev:1;) alert tcp $HOME_NET any -> [47.92.65.209] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756138/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756138; rev:1;) alert tcp $HOME_NET any -> [199.188.104.129] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756139/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756139; rev:1;) alert tcp $HOME_NET any -> [149.28.202.142] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756134/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756134; rev:1;) alert tcp $HOME_NET any -> [47.83.137.176] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756135/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756135; rev:1;) alert tcp $HOME_NET any -> [124.220.154.213] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756136/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756136; rev:1;) alert tcp $HOME_NET any -> [14.22.78.20] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756132/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756132; rev:1;) alert tcp $HOME_NET any -> [103.144.246.165] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756133/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756133; rev:1;) alert tcp $HOME_NET any -> [121.153.7.211] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756131/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756131; rev:1;) alert tcp $HOME_NET any -> [8.219.1.155] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756129/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756129; rev:1;) alert tcp $HOME_NET any -> [31.57.243.44] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756130/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756130; rev:1;) alert tcp $HOME_NET any -> [52.31.143.124] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756127/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756127; rev:1;) alert tcp $HOME_NET any -> [47.92.112.29] 55443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756128/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756128; rev:1;) alert tcp $HOME_NET any -> [85.208.109.59] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756124/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756124; rev:1;) alert tcp $HOME_NET any -> [134.122.155.12] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756125/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756125; rev:1;) alert tcp $HOME_NET any -> [47.79.123.76] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756126/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756126; rev:1;) alert tcp $HOME_NET any -> [34.235.176.11] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756120/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756120; rev:1;) alert tcp $HOME_NET any -> [137.184.53.6] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756121/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756121; rev:1;) alert tcp $HOME_NET any -> [134.122.155.11] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756122/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756122; rev:1;) alert tcp $HOME_NET any -> [213.165.63.32] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756123/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756123; rev:1;) alert tcp $HOME_NET any -> [86.54.25.87] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756118/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756118; rev:1;) alert tcp $HOME_NET any -> [38.147.172.92] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756119/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756119; rev:1;) alert tcp $HOME_NET any -> [51.195.246.33] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756116/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756116; rev:1;) alert tcp $HOME_NET any -> [134.122.155.13] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756117/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756117; rev:1;) alert tcp $HOME_NET any -> [47.119.134.47] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756112/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756112; rev:1;) alert tcp $HOME_NET any -> [212.127.73.153] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756113/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756113; rev:1;) alert tcp $HOME_NET any -> [216.185.57.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756114/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756114; rev:1;) alert tcp $HOME_NET any -> [43.247.134.215] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756115/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756115; rev:1;) alert tcp $HOME_NET any -> [80.97.160.90] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756107/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756107; rev:1;) alert tcp $HOME_NET any -> [3.134.53.115] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756108/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756108; rev:1;) alert tcp $HOME_NET any -> [116.204.34.3] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756109/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756109; rev:1;) alert tcp $HOME_NET any -> [8.219.1.155] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756110/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756110; rev:1;) alert tcp $HOME_NET any -> [104.168.157.238] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756111/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756111; rev:1;) alert tcp $HOME_NET any -> [207.148.92.118] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756103/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756103; rev:1;) alert tcp $HOME_NET any -> [104.36.229.179] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756104/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756104; rev:1;) alert tcp $HOME_NET any -> [178.16.55.163] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756105/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756105; rev:1;) alert tcp $HOME_NET any -> [176.99.14.145] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756106/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756106; rev:1;) alert tcp $HOME_NET any -> [39.106.133.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756102/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756102; rev:1;) alert tcp $HOME_NET any -> [47.94.165.50] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756101/; target:src_ip; metadata: confidence_level 50, first_seen 2026_03_01; classtype:trojan-activity; sid:91756101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"missionvienouvelle.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756100/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updater"; depth:8; nocase; http.host; content:"cheapeboobler.cc"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756099/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"miss-grateful.nl"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756097/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756097; rev:1;) alert tcp $HOME_NET any -> [103.177.47.210] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756095/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756095; rev:1;) alert tcp $HOME_NET any -> [13.127.228.186] 250 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756096/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756096; rev:1;) alert tcp $HOME_NET any -> [103.177.47.230] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756094/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756094; rev:1;) alert tcp $HOME_NET any -> [103.177.47.185] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756093/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756093; rev:1;) alert tcp $HOME_NET any -> [84.201.14.2] 80 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756092/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756092; rev:1;) alert tcp $HOME_NET any -> [150.241.203.242] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756091/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756091; rev:1;) alert tcp $HOME_NET any -> [172.111.213.119] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756090/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756090; rev:1;) alert tcp $HOME_NET any -> [176.117.107.87] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756089/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756089; rev:1;) alert tcp $HOME_NET any -> [103.39.16.241] 20411 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756088/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1lf2pz2k.bravepepsi.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756087/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vr3d0r4f.bravepepsi.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756086/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/us5/verifying/cloudflare/index.html"; depth:36; nocase; http.host; content:"sos-ch-gva-2.exo.io"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755818/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_01; classtype:trojan-activity; sid:91755818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.fundingfactors.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755820/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_01; classtype:trojan-activity; sid:91755820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"catalogocanjefideliza.amsd.cl"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755821/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_01; classtype:trojan-activity; sid:91755821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mail.castlefordlocksmiths.co.uk"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755822/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_01; classtype:trojan-activity; sid:91755822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mail.kalantarilaw.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755823/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_01; classtype:trojan-activity; sid:91755823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"coveney-ltd.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755824/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_01; classtype:trojan-activity; sid:91755824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ceymox.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755825/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_01; classtype:trojan-activity; sid:91755825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"arayapps.cl"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755826/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_01; classtype:trojan-activity; sid:91755826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"berlinphysiotherapie.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755827/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_01; classtype:trojan-activity; sid:91755827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"waygatterol002.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755841/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91755841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"o-parana.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755842/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91755842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"euclidrent.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755843/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91755843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mebeliotmasiv.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755844/; target:src_ip; metadata: confidence_level 75, first_seen 2026_03_01; classtype:trojan-activity; sid:91755844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"customblindinstall.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755944/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_01; classtype:trojan-activity; sid:91755944; rev:1;) alert tcp $HOME_NET any -> [206.189.177.137] 5555 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756029/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.html"; depth:11; nocase; http.host; content:"reviewloading.t3.storage.dev"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1756070/; target:src_ip; metadata: confidence_level 90, first_seen 2026_03_01; classtype:trojan-activity; sid:91756070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mirandableijenberg.nl"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756085/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756085; rev:1;) alert tcp $HOME_NET any -> [144.126.143.208] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756084/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756084; rev:1;) alert tcp $HOME_NET any -> [31.57.147.242] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756083/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miroku.jp.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756082/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tmc.jpn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756081/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doit.sa.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756080/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"miodowetarasy.pl"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756079/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"minya.design"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756078/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"minsk.peskovoz.by"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756077/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"minnesotastreetprojectadjacent.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756076/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"minkundtjanst.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756075/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xmes67am.safaricola.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756074/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kdpofutk.safaricola.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756073/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdasvwggwt24t2wdw-57582.portmap.host"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756072/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fkeasfodsfkefoapdsofkp-64534.portmap.host"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756071/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"minervaalvarez.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756069/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"minascorretora.com.br"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756068/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mim03takerharjo.sch.id"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756067/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756067; rev:1;) alert tcp $HOME_NET any -> [168.245.203.30] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756066/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756066; rev:1;) alert tcp $HOME_NET any -> [84.201.14.2] 443 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756065/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756065; rev:1;) alert tcp $HOME_NET any -> [54.249.167.126] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756064/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756064; rev:1;) alert tcp $HOME_NET any -> [143.92.169.237] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756063/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756063; rev:1;) alert tcp $HOME_NET any -> [5.178.96.160] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756062/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756062; rev:1;) alert tcp $HOME_NET any -> [107.173.33.219] 19999 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756061/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756061; rev:1;) alert tcp $HOME_NET any -> [4.228.217.99] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756060/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756060; rev:1;) alert tcp $HOME_NET any -> [104.250.169.101] 1781 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756059/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"milliontecnologia.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756058/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"millesime93.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756057/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"millenniumv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756056/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fkeasfodsfkefoapdsofkp-45692.portmap.host"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756055/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756055; rev:1;) alert tcp $HOME_NET any -> [69.30.246.237] 8443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756054/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756054; rev:1;) alert tcp $HOME_NET any -> [118.107.47.82] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756052/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756052; rev:1;) alert tcp $HOME_NET any -> [175.31.149.169] 3347 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756053/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756053; rev:1;) alert tcp $HOME_NET any -> [95.216.107.61] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756051/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756051; rev:1;) alert tcp $HOME_NET any -> [80.78.23.93] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756050/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756050; rev:1;) alert tcp $HOME_NET any -> [23.226.48.201] 13824 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756048/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpc188.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756049/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"milil.com.bd"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756047/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mikebot-photographs.nl"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756046/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mikadistributorspr.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756045/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mijnbruiloft.wecapture.nl"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756044/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"miguelangellopez.es"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756043/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"miftravelshop.maninflight.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756042/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mifa.it"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756041/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mietgarage-grossenwiehe.de"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756040/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756040; rev:1;) alert tcp $HOME_NET any -> [103.23.255.74] 1337 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756039/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756039; rev:1;) alert tcp $HOME_NET any -> [13.231.195.74] 82 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756038/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756038; rev:1;) alert tcp $HOME_NET any -> [196.65.221.137] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756037/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756037; rev:1;) alert tcp $HOME_NET any -> [168.245.203.22] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756035/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756035; rev:1;) alert tcp $HOME_NET any -> [43.202.61.7] 3390 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756036/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756036; rev:1;) alert tcp $HOME_NET any -> [118.107.47.86] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756034/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756034; rev:1;) alert tcp $HOME_NET any -> [107.173.33.219] 9999 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756033/; target:src_ip; metadata: confidence_level 100, first_seen 2026_03_01; classtype:trojan-activity; sid:91756033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"o90zx8u6.vivaldisprite.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756032/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6pzdx6w7.vivaldisprite.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756031/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"michaelostergaard.garage.dk"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756030/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756030; rev:1;) alert tcp $HOME_NET any -> [61.216.92.127] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756028/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756028; rev:1;) alert tcp $HOME_NET any -> [223.109.206.176] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756027/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greatman1290man2349.click"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756025/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greatmen.zip"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756026/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.silent-frog-4440.hrmcxaeel.workers.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756024/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.silent-frog-4440.hrmcxaeel.workers.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756016/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.silent-frog-4440.hrmcxaeel.workers.dev"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756017/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.silent-frog-4440.hrmcxaeel.workers.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756018/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.silent-frog-4440.hrmcxaeel.workers.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756019/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.silent-frog-4440.hrmcxaeel.workers.dev"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756020/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.silent-frog-4440.hrmcxaeel.workers.dev"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756021/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.silent-frog-4440.hrmcxaeel.workers.dev"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756022/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.silent-frog-4440.hrmcxaeel.workers.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756023/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756023; rev:1;) alert tcp $HOME_NET any -> [3.109.134.4] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756015/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.wb270.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756006/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.wb270.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756007/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.wb270.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756008/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.wb270.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756009/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.wb270.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756010/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.wb270.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756011/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.wb270.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756012/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.wb270.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756013/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756013; rev:1;) alert tcp $HOME_NET any -> [43.205.82.171] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756014/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.wb270.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756005/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756005; rev:1;) alert tcp $HOME_NET any -> [154.201.70.163] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756003/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756003; rev:1;) alert tcp $HOME_NET any -> [154.201.70.149] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756004/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.diamundialradio.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756001/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756001; rev:1;) alert tcp $HOME_NET any -> [118.107.47.84] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1756002/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.diamundialradio.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755993/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.diamundialradio.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755994/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.diamundialradio.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755995/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.diamundialradio.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755996/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.diamundialradio.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755997/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.diamundialradio.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755998/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.diamundialradio.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755999/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.diamundialradio.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1756000/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91756000; rev:1;) alert tcp $HOME_NET any -> [188.166.233.12] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755992/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.cclp.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755991/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.cclp.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755983/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.cclp.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755984/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.cclp.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755985/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.cclp.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755986/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.cclp.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755987/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.cclp.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755988/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.cclp.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755989/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.cclp.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755990/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bet88ce.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755973/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bet88ec.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755974/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bet88ga.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755975/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bet88so.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755976/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bet88va.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755977/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bet88ve.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755978/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bet88we.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755979/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bet88zi.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755980/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bet88zu.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755981/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.tinhthongaz.co"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755982/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755982; rev:1;) alert tcp $HOME_NET any -> [95.181.162.121] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755968/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bet88cf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755969/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bet88nr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755970/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bet88tm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755971/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tinhthongaz.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755972/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755972; rev:1;) alert tcp $HOME_NET any -> [43.240.239.252] 13824 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755967/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.fshcgroup.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755958/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.fshcgroup.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755959/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.fshcgroup.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755960/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.fshcgroup.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755961/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.fshcgroup.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755962/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.fshcgroup.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755963/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.fshcgroup.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755964/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.fshcgroup.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755965/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.fshcgroup.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755966/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.megology.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755950/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.megology.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755951/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.megology.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755952/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.megology.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755953/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.megology.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755954/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.megology.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755955/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.megology.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755956/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.megology.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755957/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.megology.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755949/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mic.uilpa.it"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755948/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"miatafcr.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755947/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mialcubo.cl"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755946/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mhyklnieves.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755945/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mgmoulamiah.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755943/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mfsetiquetas.com.br"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755942/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mfk.toys"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755941/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mexico.is"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755940/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755940; rev:1;) alert tcp $HOME_NET any -> [188.137.228.57] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755939/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755939; rev:1;) alert tcp $HOME_NET any -> [51.84.57.108] 38002 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755937/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755937; rev:1;) alert tcp $HOME_NET any -> [43.209.252.203] 6009 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755938/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755938; rev:1;) alert tcp $HOME_NET any -> [199.101.111.91] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755936/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755936; rev:1;) alert tcp $HOME_NET any -> [46.19.66.166] 80 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755935/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755935; rev:1;) alert tcp $HOME_NET any -> [162.212.153.138] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755934/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projecttetstts23r22we.pages.dev"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755928/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tri-county-air.pages.dev"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755929/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectsharex0987y6tgv.pages.dev"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755930/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ytrfcdxyfcgvbhjhigvytrxezsxdcfgvhbjhgfcdxszazsdfcgvhbjnkh.pages.dev"; depth:67; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755931/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wifqha.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755932/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"starumc.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755933/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"servicesense.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755921/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectsharejio3ed09ji409j340j930j93.pages.dev"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755922/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectsharerev28743erygdx76tygv3edyhbch23wesd6gyh.pages.dev"; depth:60; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755923/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tim-pollard.pages.dev"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755924/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectsharw723yubhwsyubhe8yu4eh8yub4yh8gbh3eyh8bue.pages.dev"; depth:61; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755925/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectssharwuh8iefsduh8ejdcuhjniedfuhedjnefuifdfuijnfcdui.pages.dev"; depth:68; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755926/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectsharw987tyghw2sd7gybwjdcgywhbqncdgqwbhjnudyg8budh2n.pages.dev"; depth:68; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755927/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"purduephikaps.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755914/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectsharw897ygh2bwdi87ygh3b2nejdciudye3ghbnw.pages.dev"; depth:57; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755915/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"promax-uk.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755916/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"shareproject7823yuwj3u89djiu934jed934uij394u0j43u90i34u903.pages.dev"; depth:68; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755917/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectshare89ui8uhihuit78gyujh78tgujht79guvjkt897gubjk89t.pages.dev"; depth:68; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755918/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"spafer.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755919/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"storagepup.pages.dev"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755920/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mxchange0353401099490300394949400303030494530303009494030.pages.dev"; depth:67; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755907/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectshareidufhvwsundhfyh3ghbedfhybegdffhybgedfyhebgduh.pages.dev"; depth:67; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755908/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectsharew78yh3edhyu3eduhneduhnbedcuhbedch.pages.dev"; depth:55; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755909/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"omnicom-paging.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755910/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectsharewwu9ihjedsgtyueqwetsdyuhbhqwyvsdgujiqhwsdtygua.pages.dev"; depth:68; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755911/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ntpcg.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755912/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nwbison.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755913/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectdocshhare9238476t3y8ieuhrfu3jh.pages.dev"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755900/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"surgicalsolutions-pr.pages.dev"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755901/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectshare2938er7yuh34erfu8hb3er9fuiojk3ewdiojk2w.pages.dev"; depth:61; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755902/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectshare52452312er245tr2565635452342fdvu7gbdcgydubed.pages.dev"; depth:66; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755903/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectshareir89398u9238uijnk3e89rfu234erfuj9i3098ji34089j.pages.dev"; depth:68; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755904/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectsharei3g897ryeuhqjswey78qnwef9y8bhqwjndefygbuhjnqdw.pages.dev"; depth:68; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755905/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectshareeuidjnjhu2ijwncduijiduujiedusijd.pages.dev"; depth:54; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755906/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectshar94iw8u932u832i32u89iu893u89323u89.pages.dev"; depth:54; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755895/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectshare039i90djcef98v76tgfrt73de8r9cfdv7gyu.pages.dev"; depth:58; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755896/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rizelcre-doc.pages.dev"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755897/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectshaere86727tt7823gtu7t7u7t8t77t823t78qwt78t78w2qt78.pages.dev"; depth:68; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755898/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"samuell-reding.pages.dev"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755899/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nsmsgg.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755889/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kcam-de.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755890/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"proofpoint-workflow.pages.dev"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755891/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rcsalesandmanufacturing.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755892/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"received-pdf.pages.dev"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755893/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"regenia-washington.pages.dev"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755894/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectshare09e84388edj89euj8e-j9e8jej8eioeieiieee4.pages.dev"; depth:61; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755884/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kathy-loshbaugh-d9u.pages.dev"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755885/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"newhavenyellowpages.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755886/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kathy-loshbaugh.pages.dev"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755887/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"juneausyellowpages.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755888/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectsha783y2ewdygw2bhsu89xhbywqsu9x8hbwxu8wbhuhsuhbihjw.pages.dev"; depth:68; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755879/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mpheonlinert8743ws5frgyhui8hfr5d4ed5gyui.pages.dev"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755880/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectshare0987tyryu8u9y76tf78er76et8wrt7gteer7ey7.pages.dev"; depth:61; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755881/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectshare2938ruyhj398ruj39e8ruj398erufi8uhr.pages.dev"; depth:56; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755882/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"projectshare2387yetgbhjnw98e7gdybhsjnmksoi98uhy.pages.dev"; depth:57; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755883/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dustin-stewart-c7o.pages.dev"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755873/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"jcdp-ia.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755874/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"loio.pages.dev"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755875/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pro3y8ed9ucjfby78eujwdcfhsbh8du9ejicsdiodidsiomcasmmasasah.pages.dev"; depth:68; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755876/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lc-marshal-and-son.pages.dev"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755877/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"managementspecialties.org"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755878/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"marc-levin-cpa.pages.dev"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755868/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"docshareww82w8u1881uq83i8u33u8u82qh8h82h8h2u8u2u8u2u8u8uui.pages.dev"; depth:68; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755869/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"docushare928yer9f87yh3ue8uyre.pages.dev"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755870/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"drstrohecker.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755871/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"jacob-murphy.pages.dev"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755872/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dinasira.pages.dev"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755862/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bright-academy.pages.dev"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755863/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cana-acna.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755864/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bcs-kc.pages.dev"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755865/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"fileflay.pages.dev"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755866/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"la-flor-ch-llc.pages.dev"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755867/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hub-city-towing.pages.dev"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755857/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bluebackground876tgsywxctgbyhu897dy3euhwuynhwnedunjhfciux.pages.dev"; depth:67; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755858/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"docsharewd89f7yughsdxfc8u7yhwebsdfcvu78yhx.pages.dev"; depth:52; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755859/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"avenir-consult.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755860/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dinasira-bid.pages.dev"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755861/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"fsysaidpeourugty3d2ueyrfdc9089u32ecwd80u9idewdc0-9ioewd.pages.dev"; depth:65; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755852/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"harbourcityconstruction.pages.dev"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755853/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hmefmh.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755854/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"htl-management.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755855/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"all-area-real-estate.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755856/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"approved-document.pages.dev"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755847/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5280-real-estate-appraisal-llc.pages.dev"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755848/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dinasira-invite.pages.dev"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755849/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"canaacnai86756des5tdguiop08967564rdyug9807t5e64s5ty.pages.dev"; depth:61; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755850/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"fsysa.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755851/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"chris-hubbard.pages.dev"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755845/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"co7tech.pages.dev"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755846/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755846; rev:1;) alert tcp $HOME_NET any -> [147.124.202.194] 1244 (msg:"ThreatFox Unknown Loader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755837/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755837; rev:1;) alert tcp $HOME_NET any -> [173.211.106.164] 1244 (msg:"ThreatFox Unknown Loader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755838/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755838; rev:1;) alert tcp $HOME_NET any -> [164.106.211.173] 1244 (msg:"ThreatFox Unknown Loader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755839/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755839; rev:1;) alert tcp $HOME_NET any -> [147.124.213.232] 1244 (msg:"ThreatFox Unknown Loader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755840/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755840; rev:1;) alert tcp $HOME_NET any -> [147.124.215.131] 1244 (msg:"ThreatFox Unknown Loader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755828/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755828; rev:1;) alert tcp $HOME_NET any -> [216.250.251.211] 1244 (msg:"ThreatFox Unknown Loader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755829/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755829; rev:1;) alert tcp $HOME_NET any -> [147.124.212.125] 1244 (msg:"ThreatFox Unknown Loader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755830/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755830; rev:1;) alert tcp $HOME_NET any -> [147.124.214.235] 1244 (msg:"ThreatFox Unknown Loader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755831/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755831; rev:1;) alert tcp $HOME_NET any -> [147.124.212.234] 1244 (msg:"ThreatFox Unknown Loader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755832/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755832; rev:1;) alert tcp $HOME_NET any -> [66.235.175.117] 1244 (msg:"ThreatFox Unknown Loader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755833/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755833; rev:1;) alert tcp $HOME_NET any -> [66.235.175.109] 1244 (msg:"ThreatFox Unknown Loader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755834/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755834; rev:1;) alert tcp $HOME_NET any -> [216.250.252.163] 1244 (msg:"ThreatFox Unknown Loader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755835/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755835; rev:1;) alert tcp $HOME_NET any -> [216.250.252.103] 1244 (msg:"ThreatFox Unknown Loader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755836/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sadexity-32220.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755819/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755819; rev:1;) alert tcp $HOME_NET any -> [158.94.211.185] 207 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755817/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755817; rev:1;) alert tcp $HOME_NET any -> [154.201.70.140] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755815/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755815; rev:1;) alert tcp $HOME_NET any -> [62.60.226.97] 5553 (msg:"ThreatFox Unknown Stealer botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755816/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755816; rev:1;) alert tcp $HOME_NET any -> [43.153.117.231] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755814/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755814; rev:1;) alert tcp $HOME_NET any -> [104.168.70.190] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755813/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755813; rev:1;) alert tcp $HOME_NET any -> [192.252.187.26] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755812/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_28; classtype:trojan-activity; sid:91755812; rev:1;) alert tcp $HOME_NET any -> [139.180.135.37] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755811/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ursosmart.lol"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755740/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755740; rev:1;) alert tcp $HOME_NET any -> [46.101.85.248] 12345 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755742/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deceptpower.onfinality.pro"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755747/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"interactiom.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755754/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.99.163.84"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755757/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"operafanta.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755759/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adblueturkey.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755761/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"berlinphysiotherapie.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755762/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"arayapps.cl"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755763/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"catalogocanjefideliza.amsd.cl"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755764/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coveney-ltd.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755765/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cpcalendars.beverlyhillmanor.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755766/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"customblindinstall.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755767/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ceymox.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755768/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fundingfactors.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755769/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.castlefordlocksmiths.co.uk"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755770/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.fundacion-primavera.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755771/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.tileroofinglasvegas.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755772/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mcash.trumpcode.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755773/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.kalantarilaw.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755774/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"softlima.com.br"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755775/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.walwood.be"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755797/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_28; classtype:trojan-activity; sid:91755797; rev:1;) alert tcp $HOME_NET any -> [130.12.180.171] 45 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755798/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_28; classtype:trojan-activity; sid:91755798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"walwood.be"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755802/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_28; classtype:trojan-activity; sid:91755802; rev:1;) alert tcp $HOME_NET any -> [94.154.35.160] 82 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755810/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755810; rev:1;) alert tcp $HOME_NET any -> [218.255.179.148] 36089 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755809/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755809; rev:1;) alert tcp $HOME_NET any -> [162.245.218.27] 4444 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755808/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755808; rev:1;) alert tcp $HOME_NET any -> [160.176.93.56] 81 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755807/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"metaverzse.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755806/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755806; rev:1;) alert tcp $HOME_NET any -> [178.215.236.158] 7771 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755805/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755805; rev:1;) alert tcp $HOME_NET any -> [151.242.152.192] 9633 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755804/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cornilleau.ru.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755803/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mersa.com.do"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755801/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755801; rev:1;) alert tcp $HOME_NET any -> [192.252.187.56] 443 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755800/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755800; rev:1;) alert tcp $HOME_NET any -> [192.252.187.56] 8443 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755799/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755799; rev:1;) alert tcp $HOME_NET any -> [27.124.38.151] 443 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755796/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"merac.no"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755795/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kn1kwx56.chromepepsi.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755794/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"800kc64u.chromepepsi.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755793/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mentorni.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755792/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755792; rev:1;) alert tcp $HOME_NET any -> [3.28.185.66] 17777 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755790/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755790; rev:1;) alert tcp $HOME_NET any -> [16.26.101.66] 7170 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755791/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755791; rev:1;) alert tcp $HOME_NET any -> [43.134.182.33] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755789/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755789; rev:1;) alert tcp $HOME_NET any -> [45.11.88.42] 3241 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755787/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755787; rev:1;) alert tcp $HOME_NET any -> [107.172.31.107] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755788/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755788; rev:1;) alert tcp $HOME_NET any -> [5.101.86.39] 2428 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755786/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updater"; depth:8; nocase; http.host; content:"cheapeboobler.cc"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755785/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pasbdyi.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755782/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chamkzw.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755783/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kinyqxr.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755784/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sprayboothspecialists.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755780/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arthconsultancy.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755781/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755781; rev:1;) alert tcp $HOME_NET any -> [103.39.79.102] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755779/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755779; rev:1;) alert tcp $HOME_NET any -> [16.171.144.81] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755778/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_28; classtype:trojan-activity; sid:91755778; rev:1;) alert tcp $HOME_NET any -> [203.91.74.229] 18444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755777/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755777; rev:1;) alert tcp $HOME_NET any -> [45.131.214.85] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755776/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r0e3fpkc.operafanta.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755760/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"melocatalogo.meloteste.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755758/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dmv2ddsm.mozillacola.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755756/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9cxnwc3a.mozillacola.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755755/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561198035868993"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755753/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755753; rev:1;) alert tcp $HOME_NET any -> [40.177.84.74] 6005 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755752/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755752; rev:1;) alert tcp $HOME_NET any -> [199.247.18.13] 4444 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755751/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755751; rev:1;) alert tcp $HOME_NET any -> [94.26.106.194] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755750/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755750; rev:1;) alert tcp $HOME_NET any -> [162.245.218.32] 1000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755749/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdasfsd-51675.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755748/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z2wx6ccc.cortexforge.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755746/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ihcoghbj.cortexforge.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755745/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"medseabrasil.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755741/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"connected.enzstack.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755739/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"meditech.webdesignnoida.in"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755738/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755738; rev:1;) alert tcp $HOME_NET any -> [108.187.43.3] 1799 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755735/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755735; rev:1;) alert tcp $HOME_NET any -> [108.187.43.3] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755736/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755736; rev:1;) alert tcp $HOME_NET any -> [108.187.43.3] 80 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755737/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755737; rev:1;) alert tcp $HOME_NET any -> [46.246.143.163] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755734/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"win1011.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755732/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755732; rev:1;) alert tcp $HOME_NET any -> [121.43.165.164] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755733/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755733; rev:1;) alert tcp $HOME_NET any -> [45.113.1.204] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755731/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755731; rev:1;) alert tcp $HOME_NET any -> [171.80.9.201] 8002 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755730/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755730; rev:1;) alert tcp $HOME_NET any -> [23.226.58.107] 13824 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755729/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755729; rev:1;) alert tcp $HOME_NET any -> [188.227.14.105] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755728/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuy.eu.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755727/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ww1xqffa.cyberlens.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755726/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"walwood.be"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755677/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"castellodiviano.it"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755678/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lrjovevg.cyberlens.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755725/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755725; rev:1;) alert tcp $HOME_NET any -> [193.112.116.34] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755724/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755724; rev:1;) alert tcp $HOME_NET any -> [114.132.222.244] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755723/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755723; rev:1;) alert tcp $HOME_NET any -> [192.109.200.63] 80 (msg:"ThreatFox Amatera botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755720/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755720; rev:1;) alert tcp $HOME_NET any -> [195.2.93.115] 80 (msg:"ThreatFox Amatera botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755721/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755721; rev:1;) alert tcp $HOME_NET any -> [194.164.34.182] 443 (msg:"ThreatFox Amatera botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755722/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reload"; depth:7; nocase; http.host; content:"192.109.200.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755718/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/regevent"; depth:9; nocase; http.host; content:"192.109.200.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755719/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755719; rev:1;) alert tcp $HOME_NET any -> [192.3.27.141] 8087 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755717/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755717; rev:1;) alert tcp $HOME_NET any -> [192.158.232.90] 8041 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755716/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755716; rev:1;) alert tcp $HOME_NET any -> [158.94.211.76] 7273 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755715/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scan.aryamint.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755714/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q8dmuuna.optiweave.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755713/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gctradlng.in"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755712/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"denidsdneisaas3.dynuddns.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755710/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sealllyzo-56611.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755711/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vco6haqa.optiweave.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755709/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755709; rev:1;) alert tcp $HOME_NET any -> [172.67.188.245] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755707/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755707; rev:1;) alert tcp $HOME_NET any -> [172.67.188.245] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755708/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755708; rev:1;) alert tcp $HOME_NET any -> [104.21.65.59] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755694/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755694; rev:1;) alert tcp $HOME_NET any -> [172.67.148.197] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755696/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755696; rev:1;) alert tcp $HOME_NET any -> [172.67.148.197] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755697/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755697; rev:1;) alert tcp $HOME_NET any -> [172.67.148.197] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755698/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755698; rev:1;) alert tcp $HOME_NET any -> [172.67.148.197] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755699/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755699; rev:1;) alert tcp $HOME_NET any -> [172.67.148.197] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755700/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755700; rev:1;) alert tcp $HOME_NET any -> [172.67.148.197] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755701/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755701; rev:1;) alert tcp $HOME_NET any -> [172.67.188.245] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755703/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755703; rev:1;) alert tcp $HOME_NET any -> [172.67.188.245] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755704/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755704; rev:1;) alert tcp $HOME_NET any -> [172.67.188.245] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755705/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755705; rev:1;) alert tcp $HOME_NET any -> [172.67.188.245] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755706/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755706; rev:1;) alert tcp $HOME_NET any -> [104.21.11.106] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755682/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755682; rev:1;) alert tcp $HOME_NET any -> [104.21.11.106] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755683/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755683; rev:1;) alert tcp $HOME_NET any -> [104.21.11.106] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755684/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755684; rev:1;) alert tcp $HOME_NET any -> [104.21.11.106] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755685/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755685; rev:1;) alert tcp $HOME_NET any -> [104.21.11.106] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755686/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755686; rev:1;) alert tcp $HOME_NET any -> [104.21.11.106] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755687/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755687; rev:1;) alert tcp $HOME_NET any -> [104.21.65.59] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755689/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755689; rev:1;) alert tcp $HOME_NET any -> [104.21.65.59] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755690/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755690; rev:1;) alert tcp $HOME_NET any -> [104.21.65.59] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755691/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755691; rev:1;) alert tcp $HOME_NET any -> [104.21.65.59] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755692/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755692; rev:1;) alert tcp $HOME_NET any -> [104.21.65.59] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755693/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nbaz.it.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755680/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_28; classtype:trojan-activity; sid:91755680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mediazionefamiliarepn.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755676/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mediation-eberherr.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755675/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"store-image.sbs"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755643/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"store-image.sbs"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755644/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yutoridesignpty.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755645/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.php"; depth:9; nocase; http.host; content:"yutoridesignpty.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755646/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/configpack.zip"; depth:15; nocase; http.host; content:"yutoridesignpty.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755647/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/helpu.php"; depth:10; nocase; http.host; content:"yutoridesignpty.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755648/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.zip"; depth:9; nocase; http.host; content:"yutoridesignpty.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755651/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server.php"; depth:11; nocase; http.host; content:"yutoridesignpty.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755649/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"yutoridesignpty.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755650/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zpcm9g8o.synthgrid.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755674/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9gztfgi4.synthgrid.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755673/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755673; rev:1;) alert tcp $HOME_NET any -> [99.83.243.110] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755672/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755672; rev:1;) alert tcp $HOME_NET any -> [213.183.41.212] 74 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755671/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755671; rev:1;) alert tcp $HOME_NET any -> [209.131.67.60] 32135 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755670/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755670; rev:1;) alert tcp $HOME_NET any -> [206.189.12.191] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755669/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755669; rev:1;) alert tcp $HOME_NET any -> [18.175.12.44] 8443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755668/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755668; rev:1;) alert tcp $HOME_NET any -> [116.26.11.203] 36020 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755667/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mebelarity.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755657/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"95zxw7vw.opticprime.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755656/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wmqbd7l8.opticprime.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755655/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755655; rev:1;) alert tcp $HOME_NET any -> [94.154.35.160] 83 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755654/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755654; rev:1;) alert tcp $HOME_NET any -> [188.166.233.12] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755653/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755653; rev:1;) alert tcp $HOME_NET any -> [91.92.243.101] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755652/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755652; rev:1;) alert tcp $HOME_NET any -> [94.156.152.67] 8657 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755484/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/nte3yjdjnwu1njyznju2yta1n2y="; depth:33; nocase; http.host; content:"89.169.12.245"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755501/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/nte3yjdjnwu1njyznju2yta1n2y="; depth:33; nocase; http.host; content:"213.176.73.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755514/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755514; rev:1;) alert tcp $HOME_NET any -> [45.135.194.23] 1302 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755563/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_28; classtype:trojan-activity; sid:91755563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"45.135.194.23.ptr.pfcloud.network"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755564/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_28; classtype:trojan-activity; sid:91755564; rev:1;) alert tcp $HOME_NET any -> [146.190.227.147] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755617/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755617; rev:1;) alert tcp $HOME_NET any -> [49.234.13.50] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755642/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755642; rev:1;) alert tcp $HOME_NET any -> [143.92.51.45] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755641/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mddgroup.ro"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755640/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755640; rev:1;) alert tcp $HOME_NET any -> [210.56.48.3] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755639/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755639; rev:1;) alert tcp $HOME_NET any -> [114.66.10.128] 8080 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755638/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755638; rev:1;) alert tcp $HOME_NET any -> [137.220.224.87] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755637/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755637; rev:1;) alert tcp $HOME_NET any -> [114.132.222.244] 30222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755636/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mdatemp.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755635/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mdaestheticsmobilebay.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755634/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mczcontemplados.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755633/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mcwedding.topvacations.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755632/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mco.edu.vn"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755631/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"download-book.jp.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755630/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"decrvv.ru.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755629/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a.pinggy.io"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755628/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755628; rev:1;) alert tcp $HOME_NET any -> [209.25.140.25] 27034 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755627/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unenvied-saskatoon.with.playit.plus"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755626/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5mux6rtj8.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755625/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7v4hd5u6r.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755624/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mclawpc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755623/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mbm.maximelauzier.dev"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755622/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mazurskiwypoczynek.com.pl"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755621/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mayprint.ma"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755620/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maynuocnongsolahart.vn"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755619/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755619; rev:1;) alert tcp $HOME_NET any -> [152.53.82.239] 3003 (msg:"ThreatFox CASTLELOADER botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755618/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mayhematthemarket.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755616/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755616; rev:1;) alert tcp $HOME_NET any -> [16.171.60.27] 42833 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755615/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"luukva.site.transip.me"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755614/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755614; rev:1;) alert tcp $HOME_NET any -> [116.102.239.155] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755613/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755613; rev:1;) alert tcp $HOME_NET any -> [107.148.49.212] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755612/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755612; rev:1;) alert tcp $HOME_NET any -> [137.220.224.90] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755611/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755611; rev:1;) alert tcp $HOME_NET any -> [113.44.189.231] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755610/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755610; rev:1;) alert tcp $HOME_NET any -> [115.191.53.193] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755609/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lususlee.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755608/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"misled.picklescoop.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755607/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755607; rev:1;) alert tcp $HOME_NET any -> [115.231.70.49] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755605/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755605; rev:1;) alert tcp $HOME_NET any -> [8.219.102.252] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755606/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755606; rev:1;) alert tcp $HOME_NET any -> [89.223.95.22] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755604/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755604; rev:1;) alert tcp $HOME_NET any -> [20.246.108.209] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755603/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755603; rev:1;) alert tcp $HOME_NET any -> [20.246.108.209] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755602/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755602; rev:1;) alert tcp $HOME_NET any -> [178.255.244.5] 56260 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755601/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755601; rev:1;) alert tcp $HOME_NET any -> [156.224.28.186] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755600/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755600; rev:1;) alert tcp $HOME_NET any -> [59.110.40.60] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755599/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mls-home-listings.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755598/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"v3.braniffpages.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755597/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"v3.artiminds.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755596/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"v3.akiyonoguchi.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755595/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"v2.braniffpages.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755594/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"v2.artiminds.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755593/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"v2.akiyonoguchi.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755592/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quantri.braniffpages.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755591/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quantri.artiminds.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755590/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quantri.akiyonoguchi.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755589/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"phishing.braniffpages.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755588/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"phishing.artiminds.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755587/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"phishing.akiyonoguchi.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755586/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"malware.braniffpages.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755585/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"malware.artiminds.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755584/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"malware.akiyonoguchi.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755583/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ddos.braniffpages.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755582/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ddos.artiminds.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755581/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ddos.akiyonoguchi.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755580/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"data.braniffpages.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755579/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"data.artiminds.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755578/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"data.akiyonoguchi.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755577/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"backup.braniffpages.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755576/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"backup.artiminds.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755575/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"backup.akiyonoguchi.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755574/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"atex.braniffpages.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755573/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"atex.artiminds.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755572/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"atex.akiyonoguchi.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755571/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"artiminds.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755570/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"akiyonoguchi.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755569/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_28; classtype:trojan-activity; sid:91755569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mawani.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755568/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mattsmachineshop.co.uk"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755567/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"matthiaserath.de"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755566/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"matthewspj.ca"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755565/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"matteotostoni.de"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755562/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"matovicaccounting.com.au"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755561/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755561; rev:1;) alert tcp $HOME_NET any -> [78.29.43.89] 40978 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755560/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755560; rev:1;) alert tcp $HOME_NET any -> [199.101.111.143] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755559/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755559; rev:1;) alert tcp $HOME_NET any -> [65.108.225.254] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755558/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755558; rev:1;) alert tcp $HOME_NET any -> [130.94.33.141] 42208 (msg:"ThreatFox GobRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755557/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755557; rev:1;) alert tcp $HOME_NET any -> [23.248.213.115] 22560 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755556/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_28; classtype:trojan-activity; sid:91755556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"materiali.justlegalservices.it"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755555/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"material.agmstudio.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755554/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"matchreport.pt"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755553/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755553; rev:1;) alert tcp $HOME_NET any -> [197.0.81.220] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755552/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dpkfs9tho.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755551/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newhigh.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755550/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raw26.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755549/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755549; rev:1;) alert tcp $HOME_NET any -> [94.154.35.160] 81 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755548/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755548; rev:1;) alert tcp $HOME_NET any -> [198.135.54.230] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755546/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755546; rev:1;) alert tcp $HOME_NET any -> [116.102.239.155] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755547/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trabajorcm20262090.kozow.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755545/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.aricimprota.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755537/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.aricimprota.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755538/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.aricimprota.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755539/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.aricimprota.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755540/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.aricimprota.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755541/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.aricimprota.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755542/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.aricimprota.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755543/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.aricimprota.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755544/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aricimprota.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755535/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.aricimprota.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755536/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suabepga.com.vn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755534/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755534; rev:1;) alert tcp $HOME_NET any -> [162.212.153.138] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755533/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_27; classtype:trojan-activity; sid:91755533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fahd-dalma.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755532/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.xoilaczte.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755525/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.xoilaczte.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755526/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.xoilaczte.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755527/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.xoilaczte.tv"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755528/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.xoilaczte.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755529/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.xoilaczte.tv"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755530/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.xoilaczte.tv"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755531/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.xoilaczte.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755523/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.xoilaczte.tv"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755524/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gnchdcvq.webweave.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755522/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kmlip9op.webweave.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755521/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"masjidjannatin.lanmarjkt.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755520/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755520; rev:1;) alert tcp $HOME_NET any -> [176.114.91.69] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755519/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_27; classtype:trojan-activity; sid:91755519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"master-implant.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755518/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"massage.special-center.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755517/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marty.asgcorp.uk"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755516/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mascapacidades.fundacioncisen.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755515/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"masa-shipping.com.ly"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755513/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755513; rev:1;) alert tcp $HOME_NET any -> [27.124.20.143] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755512/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755512; rev:1;) alert tcp $HOME_NET any -> [27.124.20.136] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755511/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755511; rev:1;) alert tcp $HOME_NET any -> [159.65.245.86] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755510/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755510; rev:1;) alert tcp $HOME_NET any -> [27.124.20.138] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755509/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755509; rev:1;) alert tcp $HOME_NET any -> [172.239.98.123] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755508/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755508; rev:1;) alert tcp $HOME_NET any -> [85.137.249.45] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755506/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755506; rev:1;) alert tcp $HOME_NET any -> [3.21.178.110] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755507/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755507; rev:1;) alert tcp $HOME_NET any -> [38.148.247.212] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755505/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755505; rev:1;) alert tcp $HOME_NET any -> [161.35.221.116] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755504/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755504; rev:1;) alert tcp $HOME_NET any -> [162.245.218.22] 1000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755503/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"martorellcargo.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755502/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755502; rev:1;) alert tcp $HOME_NET any -> [116.102.239.155] 6001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755499/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755499; rev:1;) alert tcp $HOME_NET any -> [116.102.239.155] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755500/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755500; rev:1;) alert tcp $HOME_NET any -> [185.49.165.41] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755498/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755498; rev:1;) alert tcp $HOME_NET any -> [185.49.165.41] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755497/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755497; rev:1;) alert tcp $HOME_NET any -> [147.124.219.156] 31203 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755496/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755496; rev:1;) alert tcp $HOME_NET any -> [78.142.18.52] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755495/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755495; rev:1;) alert tcp $HOME_NET any -> [78.142.18.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755494/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fb88e.eu.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755492/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fut.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755493/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5w2x7glx.pixelpeak.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755491/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jmy86af7.pixelpeak.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755490/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marshal-eng.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755489/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755489; rev:1;) alert tcp $HOME_NET any -> [49.119.121.19] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755488/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_27; classtype:trojan-activity; sid:91755488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9f53354de2964d8b.php"; depth:21; nocase; http.host; content:"82.25.63.1"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755487/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4sontfzx.quantumloop.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755486/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"842yoa9r.quantumloop.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755485/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marolive.es"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755483/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hgh.co.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755482/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vlxx88.biz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755481/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xenqxd-58809.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755480/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"markslawnsandgardens.com.au"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755479/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755479; rev:1;) alert tcp $HOME_NET any -> [198.23.175.51] 4078 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755478/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_27; classtype:trojan-activity; sid:91755478; rev:1;) alert tcp $HOME_NET any -> [45.13.237.121] 8041 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755477/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_27; classtype:trojan-activity; sid:91755477; rev:1;) alert tcp $HOME_NET any -> [46.31.77.130] 1604 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755476/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_27; classtype:trojan-activity; sid:91755476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.kalygenesis.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755475/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755475; rev:1;) alert tcp $HOME_NET any -> [5.252.153.53] 3333 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755474/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_27; classtype:trojan-activity; sid:91755474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rockcredit.space"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755473/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"da2n21zm01f.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755469/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hinajonuci.cc"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755470/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juqidogise.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755471/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lucaloreve.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755472/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755472; rev:1;) alert tcp $HOME_NET any -> [192.159.99.98] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755468/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_27; classtype:trojan-activity; sid:91755468; rev:1;) alert tcp $HOME_NET any -> [206.189.177.137] 37215 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755326/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arcanepanel.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755353/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/upload/mardell"; depth:19; nocase; http.host; content:"arcanepanel.cc"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755356/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.genesishaha.fun"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755360/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"genesishaha.fun"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755359/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrbfederali.cam"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755373/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/nte3yjdjnwu1njyznju2yta1n2y="; depth:33; nocase; http.host; content:"213.176.73.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755375/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_27; classtype:trojan-activity; sid:91755375; rev:1;) alert tcp $HOME_NET any -> [27.102.137.81] 31231 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755422/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dataspark.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755423/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8g5f.js"; depth:8; nocase; http.host; content:"nicorica.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755449/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nicorica.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755450/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"nicorica.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755451/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy/permission-script.php"; depth:28; nocase; http.host; content:"nonserest.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755452/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nonserest.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755453/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy/reset-server.js"; depth:22; nocase; http.host; content:"nonserest.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755454/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flare"; depth:6; nocase; http.host; content:"clipwirt.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755455/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bobby"; depth:6; nocase; http.host; content:"193.111.208.209"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755456/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy/handler-ajax.js"; depth:22; nocase; http.host; content:"xerexoret.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755463/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy/permission-script.php"; depth:28; nocase; http.host; content:"xerexoret.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755465/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xerexoret.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755464/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy/reset-server.js"; depth:22; nocase; http.host; content:"xerexoret.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755466/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"images.grovecityshoplocal.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755467/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marketingdainformacao.com.br"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755462/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755462; rev:1;) alert tcp $HOME_NET any -> [24.199.98.175] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755461/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755461; rev:1;) alert tcp $HOME_NET any -> [139.64.13.176] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755460/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755460; rev:1;) alert tcp $HOME_NET any -> [45.158.8.74] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755459/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mariuszbrucki.pl"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755458/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755458; rev:1;) alert tcp $HOME_NET any -> [111.10.16.104] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755448/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755448; rev:1;) alert tcp $HOME_NET any -> [76.13.198.70] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755447/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755447; rev:1;) alert tcp $HOME_NET any -> [5.89.184.186] 49151 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755446/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bkns-prrtner.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755445/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dlp.us.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755444/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tr88v788.it.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755443/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doubleclick.it.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755442/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dours.za.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755441/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iaef.us.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755440/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bendicion.ydns.eu"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755437/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hawai.ydns.eu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755438/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salomon777.mywire.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755439/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enero.mywire.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755435/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"balance.ydns.eu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755436/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755436; rev:1;) alert tcp $HOME_NET any -> [158.94.211.185] 0207 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755434/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aftonbladet.gb.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755433/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marija-gross.de"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755432/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755432; rev:1;) alert tcp $HOME_NET any -> [8.148.64.76] 12656 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755431/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"polygon-cnd-stats.sbs"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755430/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mcdns-imager.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755429/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755429; rev:1;) alert tcp $HOME_NET any -> [94.154.35.161] 443 (msg:"ThreatFox ClearFake payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755428/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"llc-image-ico.click"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755427/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marebtech.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755426/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gaos1opo.dataspark.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755425/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"owrfndy9.dataspark.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755424/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marcoguercini.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755421/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755421; rev:1;) alert tcp $HOME_NET any -> [185.72.8.101] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755419/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marchveterinarytrainingcenter.co.id"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755418/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iremotepanel"; depth:13; nocase; http.host; content:"77.90.185.66"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755417/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nbcockj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755416/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755416; rev:1;) alert tcp $HOME_NET any -> [13.112.19.112] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755415/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755415; rev:1;) alert tcp $HOME_NET any -> [222.80.156.9] 8800 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755414/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755414; rev:1;) alert tcp $HOME_NET any -> [199.101.111.153] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755413/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755413; rev:1;) alert tcp $HOME_NET any -> [89.124.74.114] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755412/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755412; rev:1;) alert tcp $HOME_NET any -> [78.46.66.146] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755411/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stilldontknowhyisdifficultforworldtounde.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755410/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755410; rev:1;) alert tcp $HOME_NET any -> [31.57.97.69] 34245 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755409/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755409; rev:1;) alert tcp $HOME_NET any -> [158.94.211.151] 1605 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755408/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755408; rev:1;) alert tcp $HOME_NET any -> [66.154.110.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755407/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2azr2jei.coreforge.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755406/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"csyx0ohs.coreforge.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755405/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755405; rev:1;) alert tcp $HOME_NET any -> [110.43.68.67] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755404/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755404; rev:1;) alert tcp $HOME_NET any -> [102.189.154.199] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755403/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kfzpark7.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755402/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"magicalwindows.magicalwindow.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755401/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lp.rodolfosabino.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755400/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"softconnectsoftware.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755399/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"primerelays.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755398/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755398; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 64203 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755397/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"fkeasfodsfkefoapdsofkp-64203.portmap.host"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755395/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"milkai2002-61901.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755396/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/guvrqalj"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755394/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755394; rev:1;) alert tcp $HOME_NET any -> [172.67.149.125] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755391/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755391; rev:1;) alert tcp $HOME_NET any -> [172.67.149.125] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755392/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755392; rev:1;) alert tcp $HOME_NET any -> [172.67.149.125] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755393/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755393; rev:1;) alert tcp $HOME_NET any -> [104.21.47.177] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755381/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755381; rev:1;) alert tcp $HOME_NET any -> [104.21.47.177] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755382/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755382; rev:1;) alert tcp $HOME_NET any -> [104.21.47.177] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755383/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755383; rev:1;) alert tcp $HOME_NET any -> [104.21.47.177] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755384/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755384; rev:1;) alert tcp $HOME_NET any -> [104.21.47.177] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755385/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755385; rev:1;) alert tcp $HOME_NET any -> [104.21.47.177] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755386/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755386; rev:1;) alert tcp $HOME_NET any -> [172.67.149.125] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755388/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755388; rev:1;) alert tcp $HOME_NET any -> [172.67.149.125] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755389/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755389; rev:1;) alert tcp $HOME_NET any -> [172.67.149.125] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755390/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ivoryiguana.in.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755379/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lp.insatt.com.br"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755378/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nids13.dynv6.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755377/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.1tqbo.mecanicasanjuan.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755376/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_27; classtype:trojan-activity; sid:91755376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"luatsukhanh.vn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755374/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lp.e3digitalagencia.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755372/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l3jvnuw2.smartcanvas.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755371/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4tj2wnp5.smartcanvas.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755370/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lp.blackdev.com.br"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755369/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lp.bewertungsloescher.de"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755368/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marcelinoultra.com.br"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755365/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lp.balashoff.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755364/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755364; rev:1;) alert tcp $HOME_NET any -> [91.108.242.41] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755363/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_27; classtype:trojan-activity; sid:91755363; rev:1;) alert tcp $HOME_NET any -> [45.59.117.195] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755362/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_27; classtype:trojan-activity; sid:91755362; rev:1;) alert tcp $HOME_NET any -> [45.59.117.195] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755361/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_27; classtype:trojan-activity; sid:91755361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lp-lelovet.lukas-rodrigues.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755358/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marchand-couleurs.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755357/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755357; rev:1;) alert tcp $HOME_NET any -> [144.126.220.138] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755320/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755320; rev:1;) alert tcp $HOME_NET any -> [95.40.96.246] 49502 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755319/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755319; rev:1;) alert tcp $HOME_NET any -> [103.177.47.229] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755318/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755318; rev:1;) alert tcp $HOME_NET any -> [212.34.134.3] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755317/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marbleshop.com.tr"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755316/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maraproct.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755315/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maradoll.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755314/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aad8356b.php"; depth:13; nocase; http.host; content:"ck929350.tw1.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755313/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maquinariacnc.mx"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755312/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755312; rev:1;) alert tcp $HOME_NET any -> [206.189.177.137] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755125/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755125; rev:1;) alert tcp $HOME_NET any -> [46.101.85.248] 9034 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755127/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755127; rev:1;) alert tcp $HOME_NET any -> [206.189.177.137] 34567 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755129/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755129; rev:1;) alert tcp $HOME_NET any -> [46.101.85.248] 34567 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755170/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755170; rev:1;) alert tcp $HOME_NET any -> [161.35.171.177] 9034 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755189/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755189; rev:1;) alert tcp $HOME_NET any -> [68.183.45.80] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755208/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755208; rev:1;) alert tcp $HOME_NET any -> [206.189.177.137] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755212/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755212; rev:1;) alert tcp $HOME_NET any -> [68.183.45.80] 34567 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755214/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"verify-slack.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755215/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_27; classtype:trojan-activity; sid:91755215; rev:1;) alert tcp $HOME_NET any -> [46.101.85.248] 9035 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755217/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"teshlsy.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755218/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_27; classtype:trojan-activity; sid:91755218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"goansgsr.shop"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755219/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_27; classtype:trojan-activity; sid:91755219; rev:1;) alert tcp $HOME_NET any -> [206.189.177.137] 9035 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755222/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755222; rev:1;) alert tcp $HOME_NET any -> [68.183.45.80] 12345 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755225/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755225; rev:1;) alert tcp $HOME_NET any -> [68.183.45.80] 9035 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755224/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755224; rev:1;) alert tcp $HOME_NET any -> [68.183.45.80] 5555 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755246/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755246; rev:1;) alert tcp $HOME_NET any -> [206.189.177.137] 12345 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755248/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755248; rev:1;) alert tcp $HOME_NET any -> [46.101.85.248] 37215 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755253/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"inheritance-claims-portal-32792.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755257/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_27; classtype:trojan-activity; sid:91755257; rev:1;) alert tcp $HOME_NET any -> [176.65.148.52] 1915 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755266/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_27; classtype:trojan-activity; sid:91755266; rev:1;) alert tcp $HOME_NET any -> [176.65.148.52] 2000 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755267/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_27; classtype:trojan-activity; sid:91755267; rev:1;) alert tcp $HOME_NET any -> [46.101.85.248] 5555 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755269/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755269; rev:1;) alert tcp $HOME_NET any -> [68.183.45.80] 37215 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755291/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755291; rev:1;) alert tcp $HOME_NET any -> [46.101.85.248] 8443 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755112/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755112; rev:1;) alert tcp $HOME_NET any -> [206.189.177.137] 9034 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755113/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755113; rev:1;) alert tcp $HOME_NET any -> [68.183.45.80] 9034 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755115/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755115; rev:1;) alert tcp $HOME_NET any -> [46.101.85.248] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755117/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755117; rev:1;) alert tcp $HOME_NET any -> [212.104.141.101] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755119/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2g5a.js"; depth:8; nocase; http.host; content:"wuliaox.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755096/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wuliaox.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755097/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"wuliaox.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755098/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/api-theme.php"; depth:18; nocase; http.host; content:"eshleytrei.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755099/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eshleytrei.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755100/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/private-compiler.js"; depth:24; nocase; http.host; content:"eshleytrei.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755101/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755101; rev:1;) alert tcp $HOME_NET any -> [68.183.45.80] 8080 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755105/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/angle"; depth:6; nocase; http.host; content:"freuterby.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755102/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concise"; depth:8; nocase; http.host; content:"89.46.38.121"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755103/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mamsavictoria.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755311/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mapsresidency.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755310/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755310; rev:1;) alert tcp $HOME_NET any -> [221.229.53.191] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755308/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755308; rev:1;) alert tcp $HOME_NET any -> [183.134.55.233] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755309/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755309; rev:1;) alert tcp $HOME_NET any -> [5.89.184.186] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755307/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cansdalestakoonly1.duckdns.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755305/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cansdalestakoonly163962.duckdns.org"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755306/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755306; rev:1;) alert tcp $HOME_NET any -> [116.102.239.155] 6002 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755304/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755304; rev:1;) alert tcp $HOME_NET any -> [116.102.239.155] 5001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755303/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755303; rev:1;) alert tcp $HOME_NET any -> [68.183.11.151] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755302/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755302; rev:1;) alert tcp $HOME_NET any -> [85.217.171.59] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755301/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755301; rev:1;) alert tcp $HOME_NET any -> [23.226.136.169] 50051 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755300/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maplemedaesthetics.ca"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755299/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maokingdom.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755298/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcmacaty.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755297/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mantudas.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755296/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"indahoodd.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755294/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755294; rev:1;) alert tcp $HOME_NET any -> [193.222.99.44] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755295/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755295; rev:1;) alert tcp $HOME_NET any -> [185.249.197.163] 666 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755293/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mangoes.red"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755289/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755289; rev:1;) alert tcp $HOME_NET any -> [78.153.155.131] 2096 (msg:"ThreatFox CASTLELOADER botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755287/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_27; classtype:trojan-activity; sid:91755287; rev:1;) alert tcp $HOME_NET any -> [78.153.155.131] 8069 (msg:"ThreatFox CASTLELOADER botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755288/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_27; classtype:trojan-activity; sid:91755288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"manelalemany.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755286/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mandepachau.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755285/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mamiaota.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755284/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"manakamanacablecar.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755283/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755283; rev:1;) alert tcp $HOME_NET any -> [52.201.156.70] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755282/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755282; rev:1;) alert tcp $HOME_NET any -> [15.223.202.30] 83 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755280/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755280; rev:1;) alert tcp $HOME_NET any -> [44.202.153.116] 2455 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755281/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755281; rev:1;) alert tcp $HOME_NET any -> [3.253.237.197] 501 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755279/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755279; rev:1;) alert tcp $HOME_NET any -> [84.154.178.222] 82 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755278/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755278; rev:1;) alert tcp $HOME_NET any -> [34.81.189.83] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755276/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755276; rev:1;) alert tcp $HOME_NET any -> [141.98.190.251] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755277/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755277; rev:1;) alert tcp $HOME_NET any -> [77.105.139.80] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755275/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755275; rev:1;) alert tcp $HOME_NET any -> [45.83.31.94] 10002 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755274/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755274; rev:1;) alert tcp $HOME_NET any -> [162.245.218.27] 4000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755272/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755272; rev:1;) alert tcp $HOME_NET any -> [185.241.211.23] 5000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755273/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755273; rev:1;) alert tcp $HOME_NET any -> [3.133.141.57] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755271/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"manage2live.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755270/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"man2ska.sch.id"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755268/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755268; rev:1;) alert tcp $HOME_NET any -> [195.177.94.66] 4000 (msg:"ThreatFox Loda botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755265/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zykopenclaw1-50012.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755264/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755264; rev:1;) alert tcp $HOME_NET any -> [89.167.50.14] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755263/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755263; rev:1;) alert tcp $HOME_NET any -> [195.226.92.128] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755262/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_27; classtype:trojan-activity; sid:91755262; rev:1;) alert tcp $HOME_NET any -> [118.107.29.191] 7372 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755261/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_27; classtype:trojan-activity; sid:91755261; rev:1;) alert tcp $HOME_NET any -> [8.138.112.209] 1112 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755260/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hoxt2.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755259/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maler-klissenbauer.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755258/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maki323.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755256/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"makhosimichaelafoundation.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755255/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"makfinanceexperts.com.au"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755254/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"majorel.ee"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755252/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755252; rev:1;) alert tcp $HOME_NET any -> [45.131.214.60] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755251/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"majesticbuildingmaintenance.ca"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755250/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"majabie.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755249/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maisveiculoserechim.com.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755247/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maistel.com.br"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755245/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maisonmono.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755244/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maisonboncenne.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755243/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755243; rev:1;) alert tcp $HOME_NET any -> [15.168.235.170] 20259 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755242/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_27; classtype:trojan-activity; sid:91755242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mainlinebathrooms.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755241/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"main.entrehermanos.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755240/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maicoanguilla.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755239/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755239; rev:1;) alert tcp $HOME_NET any -> [188.26.197.24] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755238/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755238; rev:1;) alert tcp $HOME_NET any -> [103.237.86.35] 2245 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755237/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"successki002.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755236/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755236; rev:1;) alert tcp $HOME_NET any -> [107.172.135.16] 4550 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755233/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755233; rev:1;) alert tcp $HOME_NET any -> [107.172.135.16] 4551 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755234/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755234; rev:1;) alert tcp $HOME_NET any -> [107.172.135.16] 4553 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755235/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"strawin991.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755232/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755232; rev:1;) alert tcp $HOME_NET any -> [103.27.177.116] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755231/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"broadres3.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755230/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755230; rev:1;) alert tcp $HOME_NET any -> [62.60.153.192] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755229/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_26; classtype:trojan-activity; sid:91755229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kfzpark.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755228/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sakurabaema.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755227/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mahodadhiestate.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755226/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"magreens.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755223/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3pf82esd.globalframe.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755221/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y4aruwit.globalframe.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755220/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"magkim.com.tr"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755216/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"magicrenovationpainting.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755213/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"magazine.sorrentotransfer.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755211/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"magazin.meilenstiefel-zuckerbrot.de"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755210/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755210; rev:1;) alert tcp $HOME_NET any -> [36.147.16.28] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755209/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755209; rev:1;) alert tcp $HOME_NET any -> [103.23.255.74] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755207/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mafrabiosemijoias.com.br"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755206/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755206; rev:1;) alert tcp $HOME_NET any -> [18.167.54.193] 8088 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755205/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755205; rev:1;) alert tcp $HOME_NET any -> [94.154.35.160] 9999 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755204/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755204; rev:1;) alert tcp $HOME_NET any -> [54.196.199.151] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755203/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755203; rev:1;) alert tcp $HOME_NET any -> [179.61.145.140] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755202/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755202; rev:1;) alert tcp $HOME_NET any -> [35.185.182.234] 1961 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755201/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755201; rev:1;) alert tcp $HOME_NET any -> [176.65.132.29] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755200/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755200; rev:1;) alert tcp $HOME_NET any -> [103.47.146.161] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755199/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755199; rev:1;) alert tcp $HOME_NET any -> [23.106.45.121] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755198/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755198; rev:1;) alert tcp $HOME_NET any -> [163.5.56.206] 5938 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755197/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755197; rev:1;) alert tcp $HOME_NET any -> [130.94.66.244] 80 (msg:"ThreatFox GobRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755196/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755196; rev:1;) alert tcp $HOME_NET any -> [130.94.66.244] 443 (msg:"ThreatFox GobRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755195/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755195; rev:1;) alert tcp $HOME_NET any -> [47.238.234.29] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755194/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755194; rev:1;) alert tcp $HOME_NET any -> [47.93.147.226] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755193/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755193; rev:1;) alert tcp $HOME_NET any -> [192.243.122.101] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755192/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755192; rev:1;) alert tcp $HOME_NET any -> [187.156.122.63] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755191/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755191; rev:1;) alert tcp $HOME_NET any -> [185.218.138.25] 5000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755190/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755190; rev:1;) alert tcp $HOME_NET any -> [169.55.114.216] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755188/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755188; rev:1;) alert tcp $HOME_NET any -> [158.247.211.91] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755187/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"madridws.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755186/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"madrassenochkapellet.se"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755185/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755185; rev:1;) alert tcp $HOME_NET any -> [158.94.209.22] 39888 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755184/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"madisonmedical.com.do"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755183/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feb930000.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755182/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.sushi-kiwami.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755173/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.sushi-kiwami.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755174/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.sushi-kiwami.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755175/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.sushi-kiwami.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755176/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.sushi-kiwami.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755177/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.sushi-kiwami.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755178/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.sushi-kiwami.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755179/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.sushi-kiwami.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755180/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.sushi-kiwami.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755181/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hui228.ru"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755172/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755172; rev:1;) alert tcp $HOME_NET any -> [194.33.61.36] 7000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755171/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.xoilaczxu.tv"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755166/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.xoilaczxu.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755167/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.xoilaczxu.tv"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755168/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.xoilaczxu.tv"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755169/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.xoilaczxu.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755161/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.xoilaczxu.tv"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755162/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.xoilaczxu.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755163/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.xoilaczxu.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755164/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.xoilaczxu.tv"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755165/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755165; rev:1;) alert tcp $HOME_NET any -> [45.156.87.31] 443 (msg:"ThreatFox CountLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755160/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"forest-entity.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755159/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755159; rev:1;) alert tcp $HOME_NET any -> [185.90.162.118] 25180 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755158/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755158; rev:1;) alert tcp $HOME_NET any -> [37.221.66.27] 3000 (msg:"ThreatFox Unknown Loader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755157/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.savethislife.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755155/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.savethislife.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755156/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.savethislife.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755148/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.savethislife.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755149/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.savethislife.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755150/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.savethislife.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755151/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.savethislife.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755152/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.savethislife.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755153/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.savethislife.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755154/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.cakhiaap.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755139/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.cakhiaap.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755140/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.cakhiaap.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755141/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.cakhiaap.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755142/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.cakhiaap.cc"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755143/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.cakhiaap.cc"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755144/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.cakhiaap.cc"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755145/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.cakhiaap.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755146/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.cakhiaap.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755147/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"king88vina.lat"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755138/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"goansgsr.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755137/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755137; rev:1;) alert tcp $HOME_NET any -> [187.77.209.119] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755136/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.lookauth.com.ng"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755135/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755135; rev:1;) alert tcp $HOME_NET any -> [165.232.45.1] 5800 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755134/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755134; rev:1;) alert tcp $HOME_NET any -> [213.136.80.73] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755133/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_26; classtype:trojan-activity; sid:91755133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"madcoolmoney.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755132/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.msftconnecttest.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755131/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755131; rev:1;) alert tcp $HOME_NET any -> [154.31.222.217] 443 (msg:"ThreatFox SparkRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755130/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"madarezendegi.ir"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755128/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maco-express.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755126/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"machenike.etservices.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755124/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"holaquetal.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755123/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"healthtoday.in.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755122/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"classes-cap.gl.joinmc.link"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755120/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0934652.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755121/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mabert.co.za"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755118/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maalaxmiquickservice.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755116/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m2r.biz"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755114/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755114; rev:1;) alert tcp $HOME_NET any -> [85.209.231.42] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755111/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755111; rev:1;) alert tcp $HOME_NET any -> [85.209.231.42] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755110/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"my18.cc.mobicloud.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755109/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"morskirai.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755108/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755108; rev:1;) alert tcp $HOME_NET any -> [85.209.231.42] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755107/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755107; rev:1;) alert tcp $HOME_NET any -> [65.108.151.50] 8443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755104/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755104; rev:1;) alert tcp $HOME_NET any -> [45.83.207.111] 3128 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755095/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lyssatee.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755094/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755094; rev:1;) alert tcp $HOME_NET any -> [146.70.145.165] 8083 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755093/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755093; rev:1;) alert tcp $HOME_NET any -> [15.237.253.59] 20547 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755092/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755092; rev:1;) alert tcp $HOME_NET any -> [156.224.19.112] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755091/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755091; rev:1;) alert tcp $HOME_NET any -> [176.65.132.31] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755090/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755090; rev:1;) alert tcp $HOME_NET any -> [195.177.94.209] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755089/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rj48gr6v.quantumridge.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755088/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3on37fyf.quantumridge.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755087/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755087; rev:1;) alert tcp $HOME_NET any -> [77.90.185.24] 80 (msg:"ThreatFox Odyssey Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755084/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755084; rev:1;) alert tcp $HOME_NET any -> [77.90.185.24] 443 (msg:"ThreatFox Odyssey Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755085/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ws.derzkifrost-990.sbs"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755086/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.51.202.217"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755083/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_26; classtype:trojan-activity; sid:91755083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d076201aa1664664.php"; depth:21; nocase; http.host; content:"159.198.75.187"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755082/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_26; classtype:trojan-activity; sid:91755082; rev:1;) alert tcp $HOME_NET any -> [75.2.11.125] 8120 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755081/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755081; rev:1;) alert tcp $HOME_NET any -> [151.242.30.234] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755077/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_26; classtype:trojan-activity; sid:91755077; rev:1;) alert tcp $HOME_NET any -> [156.239.0.38] 1266 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755080/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755080; rev:1;) alert tcp $HOME_NET any -> [156.239.0.38] 1256 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755079/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"luxdesign.studio"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755078/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755078; rev:1;) alert tcp $HOME_NET any -> [185.216.71.155] 54321 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755076/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lysoderm.ba"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755075/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755075; rev:1;) alert tcp $HOME_NET any -> [41.62.43.21] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755074/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phomoney177.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755073/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestgoodthingsforentiremylifewithbestwis.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755072/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nelol2026.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755071/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755071; rev:1;) alert tcp $HOME_NET any -> [46.109.54.25] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755070/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lynx-new.mightrecoverymarketing.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755069/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lwid.ca"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755068/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lvqp-dev.webmaster-montpellier-freelance.fr"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755067/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755067; rev:1;) alert tcp $HOME_NET any -> [198.55.109.156] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755066/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lussolitransportes.com.br"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755065/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lusciouslinens.ca"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755064/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lupitaromasw.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755063/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755063; rev:1;) alert tcp $HOME_NET any -> [91.232.103.250] 3250 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755062/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755062; rev:1;) alert tcp $HOME_NET any -> [157.151.245.77] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755061/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lunchboxbyregina.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755060/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755060; rev:1;) alert tcp $HOME_NET any -> [146.185.166.110] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755058/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755058; rev:1;) alert tcp $HOME_NET any -> [116.62.78.178] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755057/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"luminiprivilege.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755056/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755056; rev:1;) alert tcp $HOME_NET any -> [43.210.62.20] 7000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755055/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755055; rev:1;) alert tcp $HOME_NET any -> [52.214.48.133] 1962 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755054/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755054; rev:1;) alert tcp $HOME_NET any -> [160.178.220.69] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755053/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755053; rev:1;) alert tcp $HOME_NET any -> [54.207.167.146] 18017 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755052/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755052; rev:1;) alert tcp $HOME_NET any -> [199.101.111.152] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755051/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755051; rev:1;) alert tcp $HOME_NET any -> [146.190.17.255] 4444 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755050/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755050; rev:1;) alert tcp $HOME_NET any -> [121.127.33.235] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755049/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755049; rev:1;) alert tcp $HOME_NET any -> [5.175.234.128] 4783 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755048/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755048; rev:1;) alert tcp $HOME_NET any -> [193.5.65.119] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755047/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755047; rev:1;) alert tcp $HOME_NET any -> [38.68.47.4] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755046/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"crystalforge.digital"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755016/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"luislizard.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755045/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755045; rev:1;) alert tcp $HOME_NET any -> [216.250.252.227] 80 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755044/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wutiao666.f1.luyouxia.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755043/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755043; rev:1;) alert tcp $HOME_NET any -> [172.0.172.15] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755042/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755042; rev:1;) alert tcp $HOME_NET any -> [223.109.90.190] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755041/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manchidodemainehdero1234456htdfihgfdsdsg.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755040/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755040; rev:1;) alert tcp $HOME_NET any -> [43.240.239.245] 2905 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755039/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"9qzzbixt.crystalforge.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755038/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755038; rev:1;) alert tcp $HOME_NET any -> [95.216.251.50] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755033/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755033; rev:1;) alert tcp $HOME_NET any -> [46.224.192.164] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755034/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755034; rev:1;) alert tcp $HOME_NET any -> [188.34.207.58] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755035/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755035; rev:1;) alert tcp $HOME_NET any -> [46.225.57.98] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755036/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755036; rev:1;) alert tcp $HOME_NET any -> [74.0.48.48] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755037/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cms.it-bd.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755029/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cms.cardiffphysio.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755030/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kur.it-bd.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755031/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kur.cardiffphysio.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755032/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.48.48"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755024/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kur.it-bd.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755025/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kur.cardiffphysio.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755026/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cms.it-bd.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755027/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cms.cardiffphysio.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755028/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.251.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755020/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.224.192.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755021/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.34.207.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755022/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.225.57.98"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1755023/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuttyh.club"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755019/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ridobad.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755018/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"g88kkpkk.crystalforge.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755017/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"oficialrem.duckdns.org"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1755008/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755008; rev:1;) alert tcp $HOME_NET any -> [198.50.204.123] 203 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755015/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_26; classtype:trojan-activity; sid:91755015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vintejo-39341.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755014/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_26; classtype:trojan-activity; sid:91755014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"fenbushijujuefuwu.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755013/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_26; classtype:trojan-activity; sid:91755013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"egupt.ru.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755010/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_26; classtype:trojan-activity; sid:91755010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"naturesights.gb.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755011/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_26; classtype:trojan-activity; sid:91755011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sitthereanddonothing.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755012/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_26; classtype:trojan-activity; sid:91755012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lray.ru"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755009/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ltinney.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755007/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lrlifetime.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755006/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lppm.umus.ac.id"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1755005/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755005; rev:1;) alert tcp $HOME_NET any -> [45.83.31.248] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755004/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91755004; rev:1;) alert tcp $HOME_NET any -> [196.65.216.170] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755003/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755003; rev:1;) alert tcp $HOME_NET any -> [199.101.111.120] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755002/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755002; rev:1;) alert tcp $HOME_NET any -> [206.237.13.242] 43211 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755001/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755001; rev:1;) alert tcp $HOME_NET any -> [54.168.38.97] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1755000/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91755000; rev:1;) alert tcp $HOME_NET any -> [150.241.226.4] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754999/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754999; rev:1;) alert tcp $HOME_NET any -> [20.163.58.233] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754998/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754998; rev:1;) alert tcp $HOME_NET any -> [104.128.191.55] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754997/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754997; rev:1;) alert tcp $HOME_NET any -> [162.216.243.39] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754996/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lp.wmlimitada.com.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754995/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twej.shuwdrlp.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754994/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cherriestruck.space"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754993/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754993; rev:1;) alert tcp $HOME_NET any -> [193.26.115.225] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754992/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"afternoonscrew.space"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754991/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754991; rev:1;) alert tcp $HOME_NET any -> [195.177.94.72] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754990/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754990; rev:1;) alert tcp $HOME_NET any -> [49.86.40.207] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754989/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maisagil.celulafranquias.com.br"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754987/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754987; rev:1;) alert tcp $HOME_NET any -> [154.36.188.169] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754988/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754988; rev:1;) alert tcp $HOME_NET any -> [47.84.183.211] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754986/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754986; rev:1;) alert tcp $HOME_NET any -> [66.154.117.64] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754985/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754985; rev:1;) alert tcp $HOME_NET any -> [185.234.9.180] 7777 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754984/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754984; rev:1;) alert tcp $HOME_NET any -> [103.27.177.16] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754983/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754983; rev:1;) alert tcp $HOME_NET any -> [45.79.130.92] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754982/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754982; rev:1;) alert tcp $HOME_NET any -> [38.165.42.12] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754981/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754981; rev:1;) alert tcp $HOME_NET any -> [195.177.94.155] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754980/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754980; rev:1;) alert tcp $HOME_NET any -> [64.81.30.195] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754979/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754979; rev:1;) alert tcp $HOME_NET any -> [46.250.245.172] 9001 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754978/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_26; classtype:trojan-activity; sid:91754978; rev:1;) alert tcp $HOME_NET any -> [43.226.125.42] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754977/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754977; rev:1;) alert tcp $HOME_NET any -> [134.122.173.45] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754976/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754976; rev:1;) alert tcp $HOME_NET any -> [43.226.125.51] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754975/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754975; rev:1;) alert tcp $HOME_NET any -> [45.88.186.42] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754974/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754974; rev:1;) alert tcp $HOME_NET any -> [103.39.16.252] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754973/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754973; rev:1;) alert tcp $HOME_NET any -> [121.43.58.124] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754972/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754972; rev:1;) alert tcp $HOME_NET any -> [43.240.239.229] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754971/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754971; rev:1;) alert tcp $HOME_NET any -> [103.39.16.250] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754970/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754970; rev:1;) alert tcp $HOME_NET any -> [43.240.239.242] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754969/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754969; rev:1;) alert tcp $HOME_NET any -> [23.226.48.202] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754968/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754968; rev:1;) alert tcp $HOME_NET any -> [103.41.7.228] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754967/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754967; rev:1;) alert tcp $HOME_NET any -> [103.39.16.251] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754966/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754966; rev:1;) alert tcp $HOME_NET any -> [23.226.58.115] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754965/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754965; rev:1;) alert tcp $HOME_NET any -> [156.234.21.210] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754964/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754964; rev:1;) alert tcp $HOME_NET any -> [195.177.94.234] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754963/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754963; rev:1;) alert tcp $HOME_NET any -> [103.41.7.237] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754962/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754962; rev:1;) alert tcp $HOME_NET any -> [103.39.16.237] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754961/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754961; rev:1;) alert tcp $HOME_NET any -> [23.226.48.220] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754960/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754960; rev:1;) alert tcp $HOME_NET any -> [156.234.21.197] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754959/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754959; rev:1;) alert tcp $HOME_NET any -> [103.41.7.234] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754958/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754958; rev:1;) alert tcp $HOME_NET any -> [23.248.213.122] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754957/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754957; rev:1;) alert tcp $HOME_NET any -> [23.226.48.213] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754956/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754956; rev:1;) alert tcp $HOME_NET any -> [156.234.21.195] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754955/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754955; rev:1;) alert tcp $HOME_NET any -> [43.240.239.247] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754954/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754954; rev:1;) alert tcp $HOME_NET any -> [23.226.58.119] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754953/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754953; rev:1;) alert tcp $HOME_NET any -> [45.138.16.201] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754952/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snkky.xxninja-cybersecurity.org"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754951/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mybusinesscorecom.spindogs-dev7.co.uk"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754950/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754950; rev:1;) alert tcp $HOME_NET any -> [31.57.216.27] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754943/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754943; rev:1;) alert tcp $HOME_NET any -> [31.57.216.28] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754944/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754944; rev:1;) alert tcp $HOME_NET any -> [46.151.182.245] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754945/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754945; rev:1;) alert tcp $HOME_NET any -> [130.12.180.119] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754946/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754946; rev:1;) alert tcp $HOME_NET any -> [130.12.180.144] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754947/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754947; rev:1;) alert tcp $HOME_NET any -> [130.12.182.175] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754948/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754948; rev:1;) alert tcp $HOME_NET any -> [130.12.180.85] 423 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754949/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"my.homesforsalegrovecityohio.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754605/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cc.xbqpdj.vip"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754620/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754620; rev:1;) alert tcp $HOME_NET any -> [177.161.176.25] 61459 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754852/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ms-updater-service.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754854/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ms-updater-service.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754856/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ms-updater-service.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754855/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ms-cleaner.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754857/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ms-cleaner.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754858/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"auth-ms-service.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754859/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"auth-ms-service.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754860/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"auth-ms-service.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754861/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ms-cleaner.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754862/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ms-cleaner.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754863/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754863; rev:1;) alert tcp $HOME_NET any -> [193.187.151.199] 80 (msg:"ThreatFox KongTuke botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754865/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754865; rev:1;) alert tcp $HOME_NET any -> [45.12.2.167] 80 (msg:"ThreatFox KongTuke botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754866/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754866; rev:1;) alert tcp $HOME_NET any -> [37.27.0.76] 80 (msg:"ThreatFox KongTuke botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754867/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssa_gov/"; depth:9; nocase; http.host; content:"socheaphost.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754868/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_26; classtype:trojan-activity; sid:91754868; rev:1;) alert tcp $HOME_NET any -> [91.235.116.139] 1999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754879/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_26; classtype:trojan-activity; sid:91754879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/nte3yjdjnwu1njyznju2yta1n2y="; depth:33; nocase; http.host; content:"89.169.12.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754927/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/nte3yjdjnwu1njyznju2yta1n2y="; depth:33; nocase; http.host; content:"213.176.73.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754928/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/nte3yjdjnwu1njyznju2yta1n2y="; depth:33; nocase; http.host; content:"213.176.73.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754936/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c2.muksecurity.fun"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754939/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754939; rev:1;) alert tcp $HOME_NET any -> [154.91.64.48] 442 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754942/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hoxt3.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754941/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"master.yaxngmould.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754940/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"muse.muchacc.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754938/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754938; rev:1;) alert tcp $HOME_NET any -> [195.62.47.104] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754937/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754937; rev:1;) alert tcp $HOME_NET any -> [178.157.59.195] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754935/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mundonerdassistencia.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754934/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mundodasmaquinas.com.br"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754933/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"multiunique.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754932/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"demonpyroserv-37564.portmap.host"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754931/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"broadres.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754930/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"multirede.wsbrasil.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754929/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lotushomes.lk"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754926/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lottapesipsb.it"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754925/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754925; rev:1;) alert tcp $HOME_NET any -> [124.198.132.79] 3015 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754924/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"badbunny202612026.mysynology.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754923/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_26; classtype:trojan-activity; sid:91754923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"longhaivietnam.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754922/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lms.waliul.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754921/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lojamusicmais.com.br.luzativa.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754920/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754920; rev:1;) alert tcp $HOME_NET any -> [152.42.181.193] 1337 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754919/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754919; rev:1;) alert tcp $HOME_NET any -> [148.113.54.163] 8000 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754918/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754918; rev:1;) alert tcp $HOME_NET any -> [198.98.53.100] 80 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754917/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754917; rev:1;) alert tcp $HOME_NET any -> [27.124.20.138] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754916/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754916; rev:1;) alert tcp $HOME_NET any -> [43.212.196.212] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754915/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754915; rev:1;) alert tcp $HOME_NET any -> [107.174.33.4] 9021 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754914/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_26; classtype:trojan-activity; sid:91754914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updater"; depth:8; nocase; http.host; content:"waterpressureelement.cc"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754913/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gardian0mar1on-64077.portmap.host"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754911/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754911; rev:1;) alert tcp $HOME_NET any -> [38.76.193.91] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754910/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754910; rev:1;) alert tcp $HOME_NET any -> [27.124.20.143] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754909/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754909; rev:1;) alert tcp $HOME_NET any -> [27.124.20.136] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754908/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754908; rev:1;) alert tcp $HOME_NET any -> [172.86.114.105] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754907/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754907; rev:1;) alert tcp $HOME_NET any -> [35.78.231.220] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754906/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754906; rev:1;) alert tcp $HOME_NET any -> [134.122.173.39] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754905/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754905; rev:1;) alert tcp $HOME_NET any -> [43.226.125.37] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754904/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754904; rev:1;) alert tcp $HOME_NET any -> [137.220.224.77] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754903/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754903; rev:1;) alert tcp $HOME_NET any -> [23.226.58.124] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754902/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754902; rev:1;) alert tcp $HOME_NET any -> [39.108.104.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754901/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754901; rev:1;) alert tcp $HOME_NET any -> [103.41.7.247] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754900/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754900; rev:1;) alert tcp $HOME_NET any -> [156.234.21.211] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754899/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754899; rev:1;) alert tcp $HOME_NET any -> [103.41.7.229] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754898/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754898; rev:1;) alert tcp $HOME_NET any -> [43.249.175.211] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754897/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754897; rev:1;) alert tcp $HOME_NET any -> [23.226.58.108] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754896/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754896; rev:1;) alert tcp $HOME_NET any -> [156.234.21.222] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754895/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754895; rev:1;) alert tcp $HOME_NET any -> [103.41.7.248] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754894/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adobecrashreport.link"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754891/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"riotgames.ink"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754892/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waasmedicagent.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754893/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754893; rev:1;) alert tcp $HOME_NET any -> [178.16.53.140] 9987 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754890/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754890; rev:1;) alert tcp $HOME_NET any -> [178.16.53.140] 2409 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754888/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754888; rev:1;) alert tcp $HOME_NET any -> [178.16.53.140] 3398 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754889/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freshlogs1.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754887/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754887; rev:1;) alert tcp $HOME_NET any -> [43.240.239.238] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754886/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754886; rev:1;) alert tcp $HOME_NET any -> [43.240.239.227] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754885/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754885; rev:1;) alert tcp $HOME_NET any -> [23.248.213.112] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754884/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.xoilaczsptz.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754882/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.xoilaczsptz.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754883/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mimiparry02-32990.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754881/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"justchelling.dpdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754880/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"13nq2ksp.lunarbridge.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754878/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6u5wy3rf.lunarbridge.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754877/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754877; rev:1;) alert tcp $HOME_NET any -> [18.222.51.121] 443 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754874/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754874; rev:1;) alert tcp $HOME_NET any -> [156.238.236.249] 300 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754873/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toolboxhk.node.edmc.cn"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754872/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hyper.es"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754870/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754870; rev:1;) alert tcp $HOME_NET any -> [172.86.127.100] 443 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754869/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754869; rev:1;) alert tcp $HOME_NET any -> [1.12.42.37] 31092 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754853/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754853; rev:1;) alert tcp $HOME_NET any -> [102.98.73.159] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754851/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754851; rev:1;) alert tcp $HOME_NET any -> [46.246.84.5] 2003 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754850/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754850; rev:1;) alert tcp $HOME_NET any -> [103.27.157.122] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754849/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754849; rev:1;) alert tcp $HOME_NET any -> [141.98.7.177] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754848/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754848; rev:1;) alert tcp $HOME_NET any -> [155.103.71.207] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754847/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754847; rev:1;) alert tcp $HOME_NET any -> [39.108.104.149] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754846/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754846; rev:1;) alert tcp $HOME_NET any -> [23.226.48.199] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754845/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754845; rev:1;) alert tcp $HOME_NET any -> [43.249.175.194] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754844/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754844; rev:1;) alert tcp $HOME_NET any -> [43.249.175.202] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754843/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754843; rev:1;) alert tcp $HOME_NET any -> [103.41.7.235] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754842/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754842; rev:1;) alert tcp $HOME_NET any -> [23.248.213.115] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754841/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754841; rev:1;) alert tcp $HOME_NET any -> [156.234.21.212] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754840/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754840; rev:1;) alert tcp $HOME_NET any -> [23.226.58.104] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754839/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754839; rev:1;) alert tcp $HOME_NET any -> [43.240.239.231] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754838/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754838; rev:1;) alert tcp $HOME_NET any -> [156.234.21.218] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754837/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754837; rev:1;) alert tcp $HOME_NET any -> [23.226.58.125] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754836/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coco-fun2.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754835/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754835; rev:1;) alert tcp $HOME_NET any -> [103.39.16.236] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754834/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754834; rev:1;) alert tcp $HOME_NET any -> [23.226.48.215] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754833/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754833; rev:1;) alert tcp $HOME_NET any -> [103.39.16.226] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754832/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754832; rev:1;) alert tcp $HOME_NET any -> [43.249.175.217] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754831/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754831; rev:1;) alert tcp $HOME_NET any -> [43.249.175.218] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754830/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754830; rev:1;) alert tcp $HOME_NET any -> [156.234.21.217] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754829/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754829; rev:1;) alert tcp $HOME_NET any -> [23.226.58.101] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754828/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754828; rev:1;) alert tcp $HOME_NET any -> [43.240.239.243] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754827/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754827; rev:1;) alert tcp $HOME_NET any -> [103.41.7.240] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754826/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754826; rev:1;) alert tcp $HOME_NET any -> [23.248.213.109] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754825/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754825; rev:1;) alert tcp $HOME_NET any -> [156.234.21.201] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754824/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754824; rev:1;) alert tcp $HOME_NET any -> [23.226.58.100] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754823/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754823; rev:1;) alert tcp $HOME_NET any -> [23.226.58.99] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754822/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754822; rev:1;) alert tcp $HOME_NET any -> [23.226.48.217] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754821/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754821; rev:1;) alert tcp $HOME_NET any -> [23.248.213.121] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754820/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754820; rev:1;) alert tcp $HOME_NET any -> [23.226.58.111] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754819/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754819; rev:1;) alert tcp $HOME_NET any -> [103.39.16.230] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754818/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754818; rev:1;) alert tcp $HOME_NET any -> [43.249.175.199] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754817/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754817; rev:1;) alert tcp $HOME_NET any -> [43.240.239.251] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754816/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754816; rev:1;) alert tcp $HOME_NET any -> [43.249.175.205] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754815/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754815; rev:1;) alert tcp $HOME_NET any -> [23.248.213.103] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754814/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754814; rev:1;) alert tcp $HOME_NET any -> [47.120.20.86] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754813/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754813; rev:1;) alert tcp $HOME_NET any -> [23.248.213.104] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754812/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754812; rev:1;) alert tcp $HOME_NET any -> [43.249.175.195] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754811/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754811; rev:1;) alert tcp $HOME_NET any -> [43.249.175.201] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754810/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754810; rev:1;) alert tcp $HOME_NET any -> [23.248.213.120] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754809/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754809; rev:1;) alert tcp $HOME_NET any -> [103.39.16.244] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754808/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754808; rev:1;) alert tcp $HOME_NET any -> [23.248.213.101] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754807/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754807; rev:1;) alert tcp $HOME_NET any -> [23.226.48.206] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754806/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754806; rev:1;) alert tcp $HOME_NET any -> [43.249.175.193] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754805/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754805; rev:1;) alert tcp $HOME_NET any -> [23.226.58.122] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754804/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754804; rev:1;) alert tcp $HOME_NET any -> [23.226.48.214] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754803/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754803; rev:1;) alert tcp $HOME_NET any -> [23.226.48.222] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754802/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754802; rev:1;) alert tcp $HOME_NET any -> [23.226.58.107] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754801/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754801; rev:1;) alert tcp $HOME_NET any -> [156.234.21.202] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754800/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754800; rev:1;) alert tcp $HOME_NET any -> [23.226.48.211] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754799/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754799; rev:1;) alert tcp $HOME_NET any -> [43.249.175.198] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754798/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754798; rev:1;) alert tcp $HOME_NET any -> [43.240.239.236] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754797/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754797; rev:1;) alert tcp $HOME_NET any -> [23.226.58.112] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754796/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754796; rev:1;) alert tcp $HOME_NET any -> [23.226.48.194] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754795/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754795; rev:1;) alert tcp $HOME_NET any -> [156.234.21.207] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754794/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754794; rev:1;) alert tcp $HOME_NET any -> [156.234.21.215] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754793/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754793; rev:1;) alert tcp $HOME_NET any -> [156.234.21.221] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754792/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754792; rev:1;) alert tcp $HOME_NET any -> [43.249.175.210] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754791/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754791; rev:1;) alert tcp $HOME_NET any -> [43.249.175.197] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754790/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754790; rev:1;) alert tcp $HOME_NET any -> [43.240.239.239] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754789/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754789; rev:1;) alert tcp $HOME_NET any -> [23.248.213.102] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754788/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754788; rev:1;) alert tcp $HOME_NET any -> [23.226.48.207] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754787/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754787; rev:1;) alert tcp $HOME_NET any -> [156.234.21.216] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754786/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754786; rev:1;) alert tcp $HOME_NET any -> [43.240.239.248] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754785/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754785; rev:1;) alert tcp $HOME_NET any -> [23.226.48.204] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754784/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754784; rev:1;) alert tcp $HOME_NET any -> [23.226.48.212] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754783/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754783; rev:1;) alert tcp $HOME_NET any -> [103.41.7.250] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754782/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754782; rev:1;) alert tcp $HOME_NET any -> [103.41.7.239] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754781/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754781; rev:1;) alert tcp $HOME_NET any -> [23.226.48.196] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754780/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754780; rev:1;) alert tcp $HOME_NET any -> [23.226.58.118] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754779/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754779; rev:1;) alert tcp $HOME_NET any -> [103.41.7.232] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754778/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754778; rev:1;) alert tcp $HOME_NET any -> [103.39.16.233] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754777/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754777; rev:1;) alert tcp $HOME_NET any -> [103.41.7.238] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754776/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754776; rev:1;) alert tcp $HOME_NET any -> [43.240.239.237] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754775/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stellarcloudhub5.homes"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754770/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stellarcloudhub4.homes"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754771/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stellarcloudhub3.homes"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754772/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stellarcloudhub2.homes"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754773/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stellarcloudhub1.homes"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754774/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tllts.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754769/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754769; rev:1;) alert tcp $HOME_NET any -> [146.70.113.182] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754768/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754768; rev:1;) alert tcp $HOME_NET any -> [123.60.179.11] 8085 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754767/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mrpaulandpartners.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754766/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754766; rev:1;) alert tcp $HOME_NET any -> [110.43.39.172] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754765/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754765; rev:1;) alert tcp $HOME_NET any -> [95.141.32.147] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754764/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.mselite.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754763/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754763; rev:1;) alert tcp $HOME_NET any -> [178.16.55.211] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754762/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754762; rev:1;) alert tcp $HOME_NET any -> [43.143.234.76] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754761/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_25; classtype:trojan-activity; sid:91754761; rev:1;) alert tcp $HOME_NET any -> [157.151.245.77] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754760/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_25; classtype:trojan-activity; sid:91754760; rev:1;) alert tcp $HOME_NET any -> [23.248.213.114] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754759/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754759; rev:1;) alert tcp $HOME_NET any -> [23.226.58.123] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754758/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754758; rev:1;) alert tcp $HOME_NET any -> [103.41.7.226] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754757/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754757; rev:1;) alert tcp $HOME_NET any -> [103.39.16.254] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754756/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754756; rev:1;) alert tcp $HOME_NET any -> [23.248.213.108] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754755/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754755; rev:1;) alert tcp $HOME_NET any -> [156.234.21.196] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754754/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754754; rev:1;) alert tcp $HOME_NET any -> [23.248.213.113] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754753/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754753; rev:1;) alert tcp $HOME_NET any -> [103.41.7.252] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754752/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754752; rev:1;) alert tcp $HOME_NET any -> [156.234.21.198] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754751/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754751; rev:1;) alert tcp $HOME_NET any -> [43.249.175.214] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754750/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754750; rev:1;) alert tcp $HOME_NET any -> [103.39.16.232] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754749/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754749; rev:1;) alert tcp $HOME_NET any -> [23.226.58.109] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754748/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754748; rev:1;) alert tcp $HOME_NET any -> [23.226.58.117] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754746/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754746; rev:1;) alert tcp $HOME_NET any -> [43.240.239.235] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754747/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754747; rev:1;) alert tcp $HOME_NET any -> [23.226.58.106] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754745/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754745; rev:1;) alert tcp $HOME_NET any -> [103.41.7.227] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754744/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754744; rev:1;) alert tcp $HOME_NET any -> [43.240.239.254] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754743/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754743; rev:1;) alert tcp $HOME_NET any -> [43.240.239.241] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754742/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754742; rev:1;) alert tcp $HOME_NET any -> [103.41.7.254] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754741/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754741; rev:1;) alert tcp $HOME_NET any -> [43.240.239.234] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754740/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754740; rev:1;) alert tcp $HOME_NET any -> [43.249.175.203] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754739/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754739; rev:1;) alert tcp $HOME_NET any -> [43.240.239.230] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754738/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754738; rev:1;) alert tcp $HOME_NET any -> [103.41.7.253] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754737/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754737; rev:1;) alert tcp $HOME_NET any -> [43.240.239.253] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754736/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754736; rev:1;) alert tcp $HOME_NET any -> [156.234.21.213] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754735/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754735; rev:1;) alert tcp $HOME_NET any -> [103.41.7.251] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754734/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754734; rev:1;) alert tcp $HOME_NET any -> [43.240.239.252] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754733/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754733; rev:1;) alert tcp $HOME_NET any -> [156.234.21.219] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754732/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754732; rev:1;) alert tcp $HOME_NET any -> [23.248.213.99] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754731/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754731; rev:1;) alert tcp $HOME_NET any -> [23.248.213.125] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754730/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754730; rev:1;) alert tcp $HOME_NET any -> [23.248.213.124] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754729/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754729; rev:1;) alert tcp $HOME_NET any -> [103.39.16.238] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754728/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754728; rev:1;) alert tcp $HOME_NET any -> [23.226.58.116] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754727/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754727; rev:1;) alert tcp $HOME_NET any -> [23.226.58.126] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754726/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754726; rev:1;) alert tcp $HOME_NET any -> [43.249.175.206] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754725/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754725; rev:1;) alert tcp $HOME_NET any -> [103.41.7.243] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754724/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754724; rev:1;) alert tcp $HOME_NET any -> [103.41.7.230] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754723/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754723; rev:1;) alert tcp $HOME_NET any -> [23.226.58.113] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754722/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754722; rev:1;) alert tcp $HOME_NET any -> [103.39.16.247] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754721/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754721; rev:1;) alert tcp $HOME_NET any -> [103.41.7.236] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754720/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754720; rev:1;) alert tcp $HOME_NET any -> [23.248.213.116] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754719/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754719; rev:1;) alert tcp $HOME_NET any -> [103.39.16.235] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754718/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754718; rev:1;) alert tcp $HOME_NET any -> [103.39.79.102] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754717/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754717; rev:1;) alert tcp $HOME_NET any -> [156.234.21.209] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754716/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754716; rev:1;) alert tcp $HOME_NET any -> [23.226.48.198] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754715/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754715; rev:1;) alert tcp $HOME_NET any -> [23.248.213.123] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754714/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754714; rev:1;) alert tcp $HOME_NET any -> [43.249.175.213] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754713/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754713; rev:1;) alert tcp $HOME_NET any -> [23.226.58.103] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754712/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754712; rev:1;) alert tcp $HOME_NET any -> [43.249.175.200] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754711/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754711; rev:1;) alert tcp $HOME_NET any -> [103.39.16.240] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754710/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754710; rev:1;) alert tcp $HOME_NET any -> [43.249.175.220] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754709/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754709; rev:1;) alert tcp $HOME_NET any -> [103.39.16.234] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754708/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754708; rev:1;) alert tcp $HOME_NET any -> [23.248.213.105] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754707/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754707; rev:1;) alert tcp $HOME_NET any -> [23.248.213.107] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754706/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754706; rev:1;) alert tcp $HOME_NET any -> [103.41.7.233] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754705/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754705; rev:1;) alert tcp $HOME_NET any -> [103.41.7.242] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754704/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754704; rev:1;) alert tcp $HOME_NET any -> [23.248.213.111] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754703/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754703; rev:1;) alert tcp $HOME_NET any -> [103.39.16.243] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754702/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754702; rev:1;) alert tcp $HOME_NET any -> [103.41.7.245] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754701/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754701; rev:1;) alert tcp $HOME_NET any -> [23.226.48.210] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754700/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754700; rev:1;) alert tcp $HOME_NET any -> [103.41.7.244] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754699/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754699; rev:1;) alert tcp $HOME_NET any -> [103.39.16.246] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754698/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754698; rev:1;) alert tcp $HOME_NET any -> [23.248.213.118] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754697/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754697; rev:1;) alert tcp $HOME_NET any -> [43.249.175.207] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754696/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754696; rev:1;) alert tcp $HOME_NET any -> [43.240.239.246] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754695/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754695; rev:1;) alert tcp $HOME_NET any -> [23.226.58.110] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754694/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754694; rev:1;) alert tcp $HOME_NET any -> [103.41.7.241] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754693/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754693; rev:1;) alert tcp $HOME_NET any -> [23.226.48.218] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754692/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754692; rev:1;) alert tcp $HOME_NET any -> [23.226.48.219] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754691/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754691; rev:1;) alert tcp $HOME_NET any -> [23.226.48.205] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754690/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754690; rev:1;) alert tcp $HOME_NET any -> [43.240.239.245] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754689/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754689; rev:1;) alert tcp $HOME_NET any -> [156.234.21.205] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754688/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754688; rev:1;) alert tcp $HOME_NET any -> [156.234.21.200] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754687/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754687; rev:1;) alert tcp $HOME_NET any -> [103.39.16.242] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754686/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754686; rev:1;) alert tcp $HOME_NET any -> [156.234.21.220] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754685/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754685; rev:1;) alert tcp $HOME_NET any -> [43.240.239.244] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754684/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754684; rev:1;) alert tcp $HOME_NET any -> [23.248.213.98] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754683/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754683; rev:1;) alert tcp $HOME_NET any -> [23.226.58.97] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754682/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754682; rev:1;) alert tcp $HOME_NET any -> [43.249.175.219] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754681/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754681; rev:1;) alert tcp $HOME_NET any -> [23.226.48.195] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754680/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754680; rev:1;) alert tcp $HOME_NET any -> [43.249.175.196] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754679/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754679; rev:1;) alert tcp $HOME_NET any -> [43.240.239.250] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754678/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754678; rev:1;) alert tcp $HOME_NET any -> [23.248.213.106] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754677/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754677; rev:1;) alert tcp $HOME_NET any -> [156.234.21.203] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754676/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754676; rev:1;) alert tcp $HOME_NET any -> [23.248.213.100] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754675/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754675; rev:1;) alert tcp $HOME_NET any -> [43.249.175.216] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754674/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754674; rev:1;) alert tcp $HOME_NET any -> [23.226.48.209] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754673/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754673; rev:1;) alert tcp $HOME_NET any -> [103.41.7.249] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754672/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754672; rev:1;) alert tcp $HOME_NET any -> [115.190.250.28] 5521 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754671/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754671; rev:1;) alert tcp $HOME_NET any -> [43.249.175.204] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754670/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754670; rev:1;) alert tcp $HOME_NET any -> [23.226.48.203] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754668/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754668; rev:1;) alert tcp $HOME_NET any -> [43.240.239.228] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754669/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754669; rev:1;) alert tcp $HOME_NET any -> [23.226.58.102] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754667/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754667; rev:1;) alert tcp $HOME_NET any -> [43.240.239.225] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754666/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754666; rev:1;) alert tcp $HOME_NET any -> [156.234.21.214] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754665/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754665; rev:1;) alert tcp $HOME_NET any -> [156.234.21.204] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754664/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754664; rev:1;) alert tcp $HOME_NET any -> [23.226.58.121] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754663/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754663; rev:1;) alert tcp $HOME_NET any -> [23.226.48.201] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754662/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754662; rev:1;) alert tcp $HOME_NET any -> [103.39.16.241] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754661/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754661; rev:1;) alert tcp $HOME_NET any -> [43.240.239.233] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754660/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754660; rev:1;) alert tcp $HOME_NET any -> [23.226.48.208] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754659/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754659; rev:1;) alert tcp $HOME_NET any -> [103.41.7.231] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754658/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754658; rev:1;) alert tcp $HOME_NET any -> [103.41.7.246] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754657/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754657; rev:1;) alert tcp $HOME_NET any -> [103.39.16.229] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754656/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754656; rev:1;) alert tcp $HOME_NET any -> [23.226.58.114] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754655/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754655; rev:1;) alert tcp $HOME_NET any -> [23.248.213.110] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754654/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754654; rev:1;) alert tcp $HOME_NET any -> [170.168.61.188] 8952 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754653/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754653; rev:1;) alert tcp $HOME_NET any -> [47.92.169.87] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754652/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754652; rev:1;) alert tcp $HOME_NET any -> [23.226.48.200] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754651/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754651; rev:1;) alert tcp $HOME_NET any -> [23.248.213.117] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754650/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754650; rev:1;) alert tcp $HOME_NET any -> [23.248.213.126] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754649/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754649; rev:1;) alert tcp $HOME_NET any -> [156.234.21.206] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754648/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754648; rev:1;) alert tcp $HOME_NET any -> [43.249.175.212] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754647/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754647; rev:1;) alert tcp $HOME_NET any -> [103.39.16.248] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754646/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754646; rev:1;) alert tcp $HOME_NET any -> [43.240.239.226] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754645/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754645; rev:1;) alert tcp $HOME_NET any -> [43.249.175.221] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754644/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754644; rev:1;) alert tcp $HOME_NET any -> [43.249.175.222] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754643/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754643; rev:1;) alert tcp $HOME_NET any -> [43.240.239.240] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754642/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754642; rev:1;) alert tcp $HOME_NET any -> [103.39.16.245] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754641/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754641; rev:1;) alert tcp $HOME_NET any -> [103.39.16.239] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754640/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754640; rev:1;) alert tcp $HOME_NET any -> [156.234.21.199] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754639/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754639; rev:1;) alert tcp $HOME_NET any -> [23.226.48.216] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754638/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754638; rev:1;) alert tcp $HOME_NET any -> [23.226.58.120] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754637/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754637; rev:1;) alert tcp $HOME_NET any -> [23.226.58.98] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754636/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754636; rev:1;) alert tcp $HOME_NET any -> [43.249.175.215] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754635/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754635; rev:1;) alert tcp $HOME_NET any -> [43.240.239.232] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754634/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754634; rev:1;) alert tcp $HOME_NET any -> [156.234.21.194] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754633/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754633; rev:1;) alert tcp $HOME_NET any -> [43.240.239.249] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754632/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754632; rev:1;) alert tcp $HOME_NET any -> [103.39.16.228] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754631/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754631; rev:1;) alert tcp $HOME_NET any -> [43.249.175.208] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754630/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754630; rev:1;) alert tcp $HOME_NET any -> [103.39.16.249] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754628/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754628; rev:1;) alert tcp $HOME_NET any -> [103.39.16.253] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754629/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754629; rev:1;) alert tcp $HOME_NET any -> [103.39.16.227] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754627/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754627; rev:1;) alert tcp $HOME_NET any -> [23.226.48.221] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754626/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754626; rev:1;) alert tcp $HOME_NET any -> [23.226.48.197] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754625/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754625; rev:1;) alert tcp $HOME_NET any -> [23.248.213.119] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754624/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754624; rev:1;) alert tcp $HOME_NET any -> [156.234.21.208] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754623/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754623; rev:1;) alert tcp $HOME_NET any -> [103.39.16.225] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754622/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754622; rev:1;) alert tcp $HOME_NET any -> [103.39.16.231] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754621/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754621; rev:1;) alert tcp $HOME_NET any -> [34.154.34.19] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754619/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mrepictures.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754618/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754618; rev:1;) alert tcp $HOME_NET any -> [172.94.14.40] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754616/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754616; rev:1;) alert tcp $HOME_NET any -> [114.230.138.176] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754615/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754615; rev:1;) alert tcp $HOME_NET any -> [104.250.169.106] 1781 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754614/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mr-suministros.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754612/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"demhjmr.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754611/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prewjko.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754608/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kasykmp.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754609/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scijmdz.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754610/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/good/quakes/gate.php"; depth:21; nocase; http.host; content:"servicelearning.thu.edu.tw"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754604/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slotonlinegacor.it.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754603/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ourgroupclassprojectsslim2.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754601/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ourgroupclassprojectsslim1.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754600/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ourgroupclassprojects.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754599/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"movingcompanyinsacramento.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754598/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn-server.beer"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754540/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"cdn-server.beer"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754541/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stormplayavia.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754543/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"stormplayavia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754544/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.zip"; depth:9; nocase; http.host; content:"stormplayavia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754548/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.php"; depth:9; nocase; http.host; content:"stormplayavia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754549/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/configpack.zip"; depth:15; nocase; http.host; content:"stormplayavia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754550/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/helpu.php"; depth:10; nocase; http.host; content:"stormplayavia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754551/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server.php"; depth:11; nocase; http.host; content:"stormplayavia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754552/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yuanstore.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754555/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/index.php"; depth:14; nocase; http.host; content:"yuanstore.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754556/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gatcachesec.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754558/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/index.php"; depth:14; nocase; http.host; content:"yuanstore.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754557/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"gatcachesec.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754559/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5a2g.js"; depth:8; nocase; http.host; content:"stgbran.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754578/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stgbran.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754579/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"stgbran.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754580/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vxnrtubh.primefusion.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754597/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754597; rev:1;) alert tcp $HOME_NET any -> [95.85.239.4] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754596/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1m89k7yv.primefusion.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754595/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"movies.liho.tw"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754593/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"movev.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754592/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"movers.devsquarepk.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754591/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"motorhomemot.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754589/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"motoresnobre.siteup.dev"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754588/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754588; rev:1;) alert tcp $HOME_NET any -> [143.244.135.150] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754585/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"motelantares.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754582/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mosenacardoso.com.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754581/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754581; rev:1;) alert tcp $HOME_NET any -> [82.24.200.21] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754577/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754577; rev:1;) alert tcp $HOME_NET any -> [182.123.72.152] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754576/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754576; rev:1;) alert tcp $HOME_NET any -> [49.51.202.217] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754575/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754575; rev:1;) alert tcp $HOME_NET any -> [34.136.0.42] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754574/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754574; rev:1;) alert tcp $HOME_NET any -> [102.117.163.126] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754573/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"55clublotteryy.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754572/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754572; rev:1;) alert tcp $HOME_NET any -> [213.176.79.252] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754569/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueb.it-bd.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754567/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueb.cardiffphysio.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754568/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ueb.cardiffphysio.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754566/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ueb.it-bd.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754565/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6ut6sdn1.clearvertex.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754564/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"85lgsf41.clearvertex.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754563/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moritzliewerscheidt.de"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754561/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754561; rev:1;) alert tcp $HOME_NET any -> [65.108.151.50] 8880 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754545/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754545; rev:1;) alert tcp $HOME_NET any -> [34.46.236.209] 8443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754542/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"morart.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754539/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754539; rev:1;) alert tcp $HOME_NET any -> [103.227.84.10] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754536/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754536; rev:1;) alert tcp $HOME_NET any -> [178.17.62.192] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754535/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754535; rev:1;) alert tcp $HOME_NET any -> [34.118.26.66] 8080 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754533/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754533; rev:1;) alert tcp $HOME_NET any -> [172.237.129.24] 443 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754532/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754532; rev:1;) alert tcp $HOME_NET any -> [168.245.203.230] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754531/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754531; rev:1;) alert tcp $HOME_NET any -> [49.51.202.217] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754530/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754530; rev:1;) alert tcp $HOME_NET any -> [178.16.54.184] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754529/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754529; rev:1;) alert tcp $HOME_NET any -> [45.88.78.33] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 99%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754521/; target:src_ip; metadata: confidence_level 99, first_seen 2026_02_25; classtype:trojan-activity; sid:91754521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 99%)"; dns_query; content:"afreu.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754524/; target:src_ip; metadata: confidence_level 99, first_seen 2026_02_25; classtype:trojan-activity; sid:91754524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 99%)"; dns_query; content:"varusa.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754525/; target:src_ip; metadata: confidence_level 99, first_seen 2026_02_25; classtype:trojan-activity; sid:91754525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 99%)"; dns_query; content:"efsllc.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754526/; target:src_ip; metadata: confidence_level 99, first_seen 2026_02_25; classtype:trojan-activity; sid:91754526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 99%)"; dns_query; content:"ktoto.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754527/; target:src_ip; metadata: confidence_level 99, first_seen 2026_02_25; classtype:trojan-activity; sid:91754527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moo77.asia"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754528/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"monzaoggi.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754523/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"montroguru.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754520/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xoeyxsife-53554.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754519/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754519; rev:1;) alert tcp $HOME_NET any -> [45.144.212.94] 8823 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754518/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nz5umskcf.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754517/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754517; rev:1;) alert tcp $HOME_NET any -> [84.38.129.7] 8018 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754516/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754516; rev:1;) alert tcp $HOME_NET any -> [110.43.39.44] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754515/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"go1.kmm5tn.ceye.io"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1754514/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754514; rev:1;) alert tcp $HOME_NET any -> [80.71.224.110] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754513/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754513; rev:1;) alert tcp $HOME_NET any -> [80.71.224.110] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754512/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754512; rev:1;) alert tcp $HOME_NET any -> [137.220.219.244] 8081 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754511/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mateo.eu.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754510/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754510; rev:1;) alert tcp $HOME_NET any -> [23.226.58.105] 29541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754509/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asimos.radio.fm"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754507/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vean-tattoo.sa.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754508/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"143.92.60.13"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754417/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/nte3yjdjnwu1njyznju2yta1n2y="; depth:33; nocase; http.host; content:"213.176.73.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754441/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/nte3yjdjnwu1njyznju2yta1n2y="; depth:33; nocase; http.host; content:"89.169.12.248"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754469/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754469; rev:1;) alert tcp $HOME_NET any -> [144.124.246.132] 443 (msg:"ThreatFox ACR Stealer botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754501/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754501; rev:1;) alert tcp $HOME_NET any -> [102.141.126.140] 800 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754499/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754499; rev:1;) alert tcp $HOME_NET any -> [113.45.185.225] 85 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754498/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754498; rev:1;) alert tcp $HOME_NET any -> [82.157.233.225] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754497/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"path.fu78.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754494/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"monkeysdigital.com.mx"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754493/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cm88.com"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754491/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ksmk0909096-54828.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754492/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754492; rev:1;) alert tcp $HOME_NET any -> [104.21.35.221] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754482/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754482; rev:1;) alert tcp $HOME_NET any -> [104.21.35.221] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754483/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754483; rev:1;) alert tcp $HOME_NET any -> [172.67.180.60] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754485/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754485; rev:1;) alert tcp $HOME_NET any -> [172.67.180.60] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754486/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754486; rev:1;) alert tcp $HOME_NET any -> [172.67.180.60] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754487/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754487; rev:1;) alert tcp $HOME_NET any -> [172.67.180.60] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754488/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754488; rev:1;) alert tcp $HOME_NET any -> [172.67.180.60] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754489/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754489; rev:1;) alert tcp $HOME_NET any -> [172.67.180.60] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754490/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754490; rev:1;) alert tcp $HOME_NET any -> [104.21.35.221] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754478/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754478; rev:1;) alert tcp $HOME_NET any -> [104.21.35.221] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754479/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754479; rev:1;) alert tcp $HOME_NET any -> [104.21.35.221] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754480/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754480; rev:1;) alert tcp $HOME_NET any -> [104.21.35.221] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754481/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mobileshop.ru.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754475/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"waytoonews.in.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754476/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8498302719:aagnggypnp9afncu6d6f66sbcyu5qh20yfq/"; depth:51; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754474/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"101.36.114.24"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1754473/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"101.36.114.248"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1754472/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"27.102.138.146"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1754471/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tidexipz.cc"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754468/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mycago999.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754467/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1b8295a7e0284b08.php"; depth:21; nocase; http.host; content:"65.21.200.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754466/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c619c3a3bc843eb0.php"; depth:21; nocase; http.host; content:"213.159.79.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754465/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754465; rev:1;) alert tcp $HOME_NET any -> [46.224.143.22] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754464/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754464; rev:1;) alert tcp $HOME_NET any -> [51.83.185.120] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754463/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754463; rev:1;) alert tcp $HOME_NET any -> [193.26.115.218] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754462/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754462; rev:1;) alert tcp $HOME_NET any -> [161.97.117.210] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754461/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754461; rev:1;) alert tcp $HOME_NET any -> [89.125.50.183] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754460/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754460; rev:1;) alert tcp $HOME_NET any -> [108.161.129.8] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754459/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754459; rev:1;) alert tcp $HOME_NET any -> [45.59.117.195] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754458/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_25; classtype:trojan-activity; sid:91754458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"monitorizacao.hla.com.br"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754457/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"monitor.gurudowordpress.com.br"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754454/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754454; rev:1;) alert tcp $HOME_NET any -> [99.83.215.169] 8125 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754444/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754444; rev:1;) alert tcp $HOME_NET any -> [52.188.77.253] 8013 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754443/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754443; rev:1;) alert tcp $HOME_NET any -> [49.13.15.44] 8444 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754442/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754442; rev:1;) alert tcp $HOME_NET any -> [38.190.254.97] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754440/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754440; rev:1;) alert tcp $HOME_NET any -> [185.72.8.121] 443 (msg:"ThreatFox RansomHub botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754439/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754439; rev:1;) alert tcp $HOME_NET any -> [185.72.8.121] 1032 (msg:"ThreatFox RansomHub botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754438/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hlk.it-bd.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754434/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hlk.cardiffphysio.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754435/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wtf.it-bd.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754436/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wtf.cardiffphysio.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754437/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wtf.it-bd.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754430/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wtf.cardiffphysio.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754431/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hlk.it-bd.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754432/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hlk.cardiffphysio.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754433/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754433; rev:1;) alert tcp $HOME_NET any -> [103.177.46.77] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754428/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754428; rev:1;) alert tcp $HOME_NET any -> [18.221.2.94] 30913 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754427/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754427; rev:1;) alert tcp $HOME_NET any -> [185.144.158.152] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754426/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754426; rev:1;) alert tcp $HOME_NET any -> [138.199.59.5] 60736 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754425/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754425; rev:1;) alert tcp $HOME_NET any -> [47.101.173.206] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754424/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"modernlaundry.itoffshoresupport.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754421/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754421; rev:1;) alert tcp $HOME_NET any -> [94.154.35.160] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754420/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754420; rev:1;) alert tcp $HOME_NET any -> [52.199.136.69] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754419/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754419; rev:1;) alert tcp $HOME_NET any -> [106.246.233.154] 9080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754418/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brfwhb.ru.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754416/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.gieable.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754373/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_25; classtype:trojan-activity; sid:91754373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; nocase; http.host; content:"83.142.209.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754378/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754378; rev:1;) alert tcp $HOME_NET any -> [45.142.107.217] 323 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754407/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moderne-genealogie.hooftvanhuysduynen.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754415/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"niggercattleultimatum.top"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754414/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"womanless-assurance.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754412/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"envi2026fe.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754411/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moafrikapayments.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754410/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mnmpowersolutions.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754409/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mnmabogados.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754408/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754408; rev:1;) alert tcp $HOME_NET any -> [103.177.47.162] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754406/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754406; rev:1;) alert tcp $HOME_NET any -> [54.174.76.50] 22822 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754405/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754405; rev:1;) alert tcp $HOME_NET any -> [196.75.121.210] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754404/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754404; rev:1;) alert tcp $HOME_NET any -> [43.203.204.160] 51005 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754403/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754403; rev:1;) alert tcp $HOME_NET any -> [15.152.44.169] 788 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754402/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"miriart.com.br"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754401/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754401; rev:1;) alert tcp $HOME_NET any -> [46.246.4.9] 2003 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754400/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754400; rev:1;) alert tcp $HOME_NET any -> [154.36.188.85] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754399/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754399; rev:1;) alert tcp $HOME_NET any -> [92.118.231.105] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754398/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754398; rev:1;) alert tcp $HOME_NET any -> [149.104.90.204] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754397/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754397; rev:1;) alert tcp $HOME_NET any -> [172.111.213.118] 1962 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754396/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.polymarketapi.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754395/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_25; classtype:trojan-activity; sid:91754395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mktmindsstudio.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754394/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mkt.agosassessoriacontabil.com.br"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754391/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754391; rev:1;) alert tcp $HOME_NET any -> [201.103.99.105] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754390/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754390; rev:1;) alert tcp $HOME_NET any -> [123.60.53.85] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754389/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754389; rev:1;) alert tcp $HOME_NET any -> [137.220.219.244] 8083 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754388/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754388; rev:1;) alert tcp $HOME_NET any -> [179.110.250.222] 7000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754387/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754387; rev:1;) alert tcp $HOME_NET any -> [51.250.29.72] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754386/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kfzpark9.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754385/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"82vna.it.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754382/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stuff.eu.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754383/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"br7us6.sa.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754380/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dvv.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754381/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mkankw.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754379/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mjcabocustomsolutions.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754377/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"miusictherapy.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754376/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mistwaresolutions.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754374/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"missioninaction.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754371/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"missalromano.com.br"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754370/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"misangamoon.blog"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754368/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754368; rev:1;) alert tcp $HOME_NET any -> [56.124.121.117] 9895 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754366/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754366; rev:1;) alert tcp $HOME_NET any -> [54.67.27.207] 20001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754365/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754365; rev:1;) alert tcp $HOME_NET any -> [54.67.27.207] 9201 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754364/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754364; rev:1;) alert tcp $HOME_NET any -> [54.67.27.207] 101 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754363/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754363; rev:1;) alert tcp $HOME_NET any -> [54.67.27.207] 56601 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754362/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754362; rev:1;) alert tcp $HOME_NET any -> [52.27.144.112] 28549 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754361/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754361; rev:1;) alert tcp $HOME_NET any -> [38.132.122.134] 43211 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754360/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754360; rev:1;) alert tcp $HOME_NET any -> [172.94.9.106] 8080 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754359/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754359; rev:1;) alert tcp $HOME_NET any -> [54.82.61.154] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754358/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754358; rev:1;) alert tcp $HOME_NET any -> [206.206.127.178] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754357/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754357; rev:1;) alert tcp $HOME_NET any -> [51.75.62.52] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754356/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754356; rev:1;) alert tcp $HOME_NET any -> [191.107.91.72] 5061 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754355/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754355; rev:1;) alert tcp $HOME_NET any -> [124.198.132.120] 5000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754354/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_25; classtype:trojan-activity; sid:91754354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mip-portal.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754353/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mintdentalfamily.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754350/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.gieable.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754348/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754348; rev:1;) alert tcp $HOME_NET any -> [102.157.54.207] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754347/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crazymanthingz.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754345/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"graceforrealzeternity.duckdns.org"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754346/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754346; rev:1;) alert tcp $HOME_NET any -> [23.88.110.42] 8443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754344/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754344; rev:1;) alert tcp $HOME_NET any -> [124.198.132.10] 9999 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754343/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754343; rev:1;) alert tcp $HOME_NET any -> [3.108.67.17] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754342/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bkn-extrnets.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754341/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v4.210hosting.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754340/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754340; rev:1;) alert tcp $HOME_NET any -> [91.92.241.197] 2406 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754339/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754339; rev:1;) alert tcp $HOME_NET any -> [45.251.240.151] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754338/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754338; rev:1;) alert tcp $HOME_NET any -> [3.239.129.76] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754337/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754337; rev:1;) alert tcp $HOME_NET any -> [82.165.51.16] 82 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754335/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754335; rev:1;) alert tcp $HOME_NET any -> [93.152.217.141] 50000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754336/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754336; rev:1;) alert tcp $HOME_NET any -> [192.159.99.83] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754334/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754334; rev:1;) alert tcp $HOME_NET any -> [114.66.58.11] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754332/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gekw-55463.portmap.host"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754333/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bj88games.cool"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754328/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.bj88games.cool"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754329/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rat.bj88games.cool"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754330/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754330; rev:1;) alert tcp $HOME_NET any -> [49.13.15.44] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754331/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_24; classtype:trojan-activity; sid:91754331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feb237777.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754327/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps3000.kozow.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754326/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754326; rev:1;) alert tcp $HOME_NET any -> [70.39.202.17] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754325/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754325; rev:1;) alert tcp $HOME_NET any -> [85.239.151.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754324/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"minimaxinvestor.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754323/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"minimatrix.in"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754321/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"minikyildizlar.com.tr"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754320/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"minidramy.pl"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754319/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"miniarture.com.tr"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754318/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"minhafertilidade.com.br"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754317/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"minerva-academy.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754316/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"minerfin-ukraine.com.ua"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754315/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s2s942l0.modernsignal.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754314/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h0kuelyp.modernsignal.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754313/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mineralmed.de"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754312/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"minegocio-digital.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754311/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mindbodyandflow.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754309/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"minalou-cosplay.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754306/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mimundofinanciero.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754305/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"miloukempers.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754298/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"miloserd.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754296/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iwkzzjit.rapidmatrix.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754290/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3li6xvqk.rapidmatrix.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754289/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"credil.club"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754282/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wipez.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754283/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"integri.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754284/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mensare.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754285/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"canvasn.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754286/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"convexm.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754287/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iivouw.club"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754288/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pageld.club"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754274/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thinlpr.buzz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754275/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"touchfh.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754276/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testdf.club"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754277/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaboim.club"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754278/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"genetiz.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754279/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"screwd.club"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754280/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkbq.club"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754281/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"virginiasecuritysystem.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754273/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winestoragecalifornia.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754272/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grouphomesflorida.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754271/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"milene.dicasdamilly.com.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754269/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mikeyandthemagicmedicine.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754268/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754268; rev:1;) alert tcp $HOME_NET any -> [42.193.175.121] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754267/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754267; rev:1;) alert tcp $HOME_NET any -> [221.204.14.38] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754266/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91754266; rev:1;) alert tcp $HOME_NET any -> [198.211.119.52] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754265/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91754265; rev:1;) alert tcp $HOME_NET any -> [146.190.17.255] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754264/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91754264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mikasperling.de"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754263/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"honerable-bk.ydns.eu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754260/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"honerable.ydns.eu"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754259/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754259; rev:1;) alert tcp $HOME_NET any -> [185.98.168.28] 32865 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754258/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xword5.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754257/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tfx.it-bd.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754249/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tfx.cardiffphysio.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754250/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tfx.it-bd.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754247/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tfx.cardiffphysio.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754248/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"midwestopenwheel.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754246/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"midtownmodern.designfoody.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754245/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"midabau.de"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754243/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"microscanning.dustwatch.co.za"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754242/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"microbiology.bg.ac.rs"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754241/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754241; rev:1;) alert tcp $HOME_NET any -> [45.95.201.223] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754238/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91754238; rev:1;) alert tcp $HOME_NET any -> [185.70.186.193] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754239/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91754239; rev:1;) alert tcp $HOME_NET any -> [37.49.225.189] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754240/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91754240; rev:1;) alert tcp $HOME_NET any -> [5.142.195.101] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754237/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91754237; rev:1;) alert tcp $HOME_NET any -> [51.84.223.121] 48415 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754236/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754236; rev:1;) alert tcp $HOME_NET any -> [51.75.62.52] 80 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754235/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754235; rev:1;) alert tcp $HOME_NET any -> [3.15.204.70] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754234/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754234; rev:1;) alert tcp $HOME_NET any -> [207.180.217.49] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754233/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754233; rev:1;) alert tcp $HOME_NET any -> [74.118.172.190] 7736 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754232/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754232; rev:1;) alert tcp $HOME_NET any -> [146.19.248.8] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754231/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"micoto.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754230/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"underdynamicment.pics"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754229/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754229; rev:1;) alert tcp $HOME_NET any -> [185.203.119.225] 443 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754228/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"overmonthlyary.pics"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754227/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"misyouthfuldom.pics"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754226/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"misdecreaseize.pics"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754225/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"surgicalify.pics"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754224/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"regularexpressions.re"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754223/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"michaelwander.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754221/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"enixwegemtir.cc"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754220/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754220; rev:1;) alert tcp $HOME_NET any -> [94.156.35.16] 443 (msg:"ThreatFox ClearFake payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754219/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jquerymanager.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754218/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pingimages.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754217/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"imagesping.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754216/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"analyticshore.icu"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754122/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"analyticshore.icu"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754121/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"analyticshore.icu"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754120/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cliffroot.wildandstone.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754082/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pinegloom.darkbypine.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754087/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shadowcone.darkbypine.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754089/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nighttimber.darkbypine.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754100/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"insightpixel.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754164/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"metricspixel.live"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754165/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"metricspixel.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754166/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"metricspixel.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754167/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pixelinsights.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754168/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"pixelinsights.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754169/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"pixelinsights.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754170/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pixelmetrics.live"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754171/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"pixelmetrics.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754172/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"pixelmetrics.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754173/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"datapixel.icu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754174/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"datapixel.icu"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754175/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"datapixel.icu"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754176/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"opsecdefcloud.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754185/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"opsecdefcloud.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754186/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"checkpointviewzen.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754187/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"noobrate.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754188/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"noobrate.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754189/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6o0jk.js"; depth:9; nocase; http.host; content:"foodgefy.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754202/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"foodgefy.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754203/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"foodgefy.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754204/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754204; rev:1;) alert tcp $HOME_NET any -> [73.249.12.196] 80 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754214/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91754214; rev:1;) alert tcp $HOME_NET any -> [41.226.244.98] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754213/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754213; rev:1;) alert tcp $HOME_NET any -> [112.124.58.168] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754212/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"michaeldeleget.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754211/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754211; rev:1;) alert tcp $HOME_NET any -> [34.104.144.130] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754210/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_24; classtype:trojan-activity; sid:91754210; rev:1;) alert tcp $HOME_NET any -> [47.99.159.88] 6001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754209/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"miauau.com.br"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754208/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"miagcore.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754201/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754201; rev:1;) alert tcp $HOME_NET any -> [23.94.206.26] 5610 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754200/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mgconsorcio.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754197/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754197; rev:1;) alert tcp $HOME_NET any -> [5.61.40.97] 45332 (msg:"ThreatFox XMRIG botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754194/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_24; classtype:trojan-activity; sid:91754194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.61.40.97"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1754193/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_24; classtype:trojan-activity; sid:91754193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"asas42424.dynuddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754191/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91754191; rev:1;) alert tcp $HOME_NET any -> [37.165.32.148] 4444 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754184/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7ff.com.br"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754183/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daga.guru"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754182/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754182; rev:1;) alert tcp $HOME_NET any -> [196.75.218.10] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754181/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754181; rev:1;) alert tcp $HOME_NET any -> [43.209.118.213] 47745 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754180/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754180; rev:1;) alert tcp $HOME_NET any -> [58.244.40.171] 10001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754179/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754179; rev:1;) alert tcp $HOME_NET any -> [169.40.135.36] 8888 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754178/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"insightpixel.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754163/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"insightpixel.icu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754162/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"googlanalitlcs.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754161/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"googlanalitlcs.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754160/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"googlanalitlcs.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754159/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"googlanalitlcs.pro"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754158/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"googlanalitlcs.pro"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754157/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"googlanalitlcs.pro"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754156/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"googlanalitlcs.live"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754155/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"googlanalitlcs.live"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754154/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"googlanalitlcs.live"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754153/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"googlanalitlcs.icu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754152/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"googlanalitlcs.icu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754151/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"googlanalitlcs.icu"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754150/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"webtracelab.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754149/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"webtracelab.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754148/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"webtracelab.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754147/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"webpulsedata.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754146/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"webpulsedata.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754145/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"webpulsedata.icu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754144/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"siteinsights.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754143/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"siteinsights.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754142/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"siteinsights.icu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754141/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"pagestatix.icu"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754140/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"pagestatix.icu"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754139/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pagestatix.icu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754138/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"datapointly.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754137/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"datapointly.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754136/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"datapointly.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754135/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"clickstream.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754134/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"clickstream.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754133/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"clickstream.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754132/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"visitorflow.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754131/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"visitorflow.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754130/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"visitorflow.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754129/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"trackmetrica.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754128/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"trackmetrica.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754127/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"trackmetrica.icu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754126/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext-b.8212ebb6b622.js"; depth:22; nocase; http.host; content:"metricvault.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754125/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ext.42d17f53da07.js"; depth:20; nocase; http.host; content:"metricvault.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754124/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"metricvault.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754123/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"au72nuxzv2.ufs.sh"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754119/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_24; classtype:trojan-activity; sid:91754119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ovfs585i.urbanforge.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754117/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shsq4l7w.urbanforge.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754116/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"metrospec.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754115/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"metronix.ph"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754114/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754114; rev:1;) alert tcp $HOME_NET any -> [110.43.39.250] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754113/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whb0d8.sa.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754112/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754112; rev:1;) alert tcp $HOME_NET any -> [40.66.48.150] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754111/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754111; rev:1;) alert tcp $HOME_NET any -> [102.117.167.31] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754110/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"analyticallsolutions.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754109/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fb88vn.uk.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754107/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tecc.jpn.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754108/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2z0nkkls.lumenbit.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754105/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r615p0ru.lumenbit.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754104/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jy8vxjxs.lumenbit.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754103/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"silvertrail.silvermypath.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754101/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754101; rev:1;) alert tcp $HOME_NET any -> [46.225.85.130] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754099/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91754099; rev:1;) alert tcp $HOME_NET any -> [46.225.68.122] 3379 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754098/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91754098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"metodocrie.com.br"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754097/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1b8295a7e0284b08.php"; depth:21; nocase; http.host; content:"65.21.200.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754094/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754094; rev:1;) alert tcp $HOME_NET any -> [172.94.100.226] 29810 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754093/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754093; rev:1;) alert tcp $HOME_NET any -> [3.71.225.231] 13447 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754092/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754092; rev:1;) alert tcp $HOME_NET any -> [18.153.198.123] 13447 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754091/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754091; rev:1;) alert tcp $HOME_NET any -> [18.192.31.30] 13447 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754090/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vbb24wmu.lumenbit.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754088/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5mf4m58e.lumenbit.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754086/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754086; rev:1;) alert tcp $HOME_NET any -> [188.23.172.228] 8000 (msg:"ThreatFox Eye Pyramid botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754085/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91754085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"masterstudy.mkdi.mx"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754084/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"154.221.21.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754079/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91754079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oklefe.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754058/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server.php"; depth:11; nocase; http.host; content:"oklefe.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754059/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/helpu.php"; depth:10; nocase; http.host; content:"oklefe.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754060/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.php"; depth:9; nocase; http.host; content:"oklefe.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754061/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/configpack.zip"; depth:15; nocase; http.host; content:"oklefe.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754062/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"oklefe.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754063/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"dltruek.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754065/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.zip"; depth:9; nocase; http.host; content:"oklefe.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754064/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dltruek.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754066/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.zip"; depth:9; nocase; http.host; content:"dltruek.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754067/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/configpack.zip"; depth:15; nocase; http.host; content:"dltruek.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754068/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.php"; depth:9; nocase; http.host; content:"dltruek.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754069/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/helpu.php"; depth:10; nocase; http.host; content:"dltruek.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754070/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server.php"; depth:11; nocase; http.host; content:"ldture.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754072/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ldture.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754073/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rockgrove.wildandstone.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754078/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754078; rev:1;) alert tcp $HOME_NET any -> [139.84.213.149] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754075/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91754075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"metalma.ind.br"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754074/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stonewild.wildandstone.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754071/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"epi66tim.velocore.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754057/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pq2uim2y.velocore.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754056/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quickpetal.fastleaf.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754055/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mesorfa.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754052/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rapidfern.fastleaf.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754051/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mesmekanik.com.tr"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754049/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"swiftbranch.fastleaf.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754048/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chillwater.coldinriver.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754045/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"oficialrem.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754041/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91754041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"icetorrent.coldinriver.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754040/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dblanka.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754006/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_24; classtype:trojan-activity; sid:91754006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mergersandacquisitions.events"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754038/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"froststream.coldinriver.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754037/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754037; rev:1;) alert tcp $HOME_NET any -> [74.0.32.70] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754031/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754031; rev:1;) alert tcp $HOME_NET any -> [138.226.237.176] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754032/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754032; rev:1;) alert tcp $HOME_NET any -> [74.0.48.29] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754033/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754033; rev:1;) alert tcp $HOME_NET any -> [46.225.101.68] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754034/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754034; rev:1;) alert tcp $HOME_NET any -> [74.0.32.8] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754035/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754035; rev:1;) alert tcp $HOME_NET any -> [95.216.251.49] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754036/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gor.it-bd.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754029/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gor.cardiffphysio.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754030/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gor.cardiffphysio.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754028/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.70"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754021/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"138.226.237.176"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754022/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.48.29"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754023/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.225.101.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754024/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.8"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754025/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.251.49"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754026/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gor.it-bd.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754027/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"emberpelt.brightforfox.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754020/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754020; rev:1;) alert tcp $HOME_NET any -> [103.177.47.111] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754019/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754019; rev:1;) alert tcp $HOME_NET any -> [54.252.232.13] 18244 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754018/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754018; rev:1;) alert tcp $HOME_NET any -> [102.98.100.6] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754017/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mercado3f.com.ar"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754016/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brighttail.brightforfox.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754015/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754015; rev:1;) alert tcp $HOME_NET any -> [194.156.79.197] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754014/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"meraki2.abdesign.vn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754013/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"foxspark.brightforfox.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754012/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754012; rev:1;) alert tcp $HOME_NET any -> [45.85.147.75] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754011/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91754011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axiscontrol.ltd"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754010/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754010; rev:1;) alert tcp $HOME_NET any -> [185.182.187.151] 80 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754009/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91754009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/agent/register"; depth:19; nocase; http.host; content:"185.182.187.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754007/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ws/agent"; depth:9; nocase; http.host; content:"185.182.187.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1754008/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91754008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ku3933net.guru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1754004/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_24; classtype:trojan-activity; sid:91754004; rev:1;) alert tcp $HOME_NET any -> [59.15.175.174] 6000 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754003/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_24; classtype:trojan-activity; sid:91754003; rev:1;) alert tcp $HOME_NET any -> [101.36.114.248] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1754001/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_24; classtype:trojan-activity; sid:91754001; rev:1;) alert tcp $HOME_NET any -> [193.109.193.149] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753999/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_24; classtype:trojan-activity; sid:91753999; rev:1;) alert tcp $HOME_NET any -> [64.176.41.241] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753998/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_24; classtype:trojan-activity; sid:91753998; rev:1;) alert tcp $HOME_NET any -> [198.55.109.156] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753997/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_24; classtype:trojan-activity; sid:91753997; rev:1;) alert tcp $HOME_NET any -> [152.228.129.164] 7000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753996/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_24; classtype:trojan-activity; sid:91753996; rev:1;) alert tcp $HOME_NET any -> [52.149.255.38] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753995/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_24; classtype:trojan-activity; sid:91753995; rev:1;) alert tcp $HOME_NET any -> [69.72.7.30] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753994/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_24; classtype:trojan-activity; sid:91753994; rev:1;) alert tcp $HOME_NET any -> [103.228.38.76] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753993/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_24; classtype:trojan-activity; sid:91753993; rev:1;) alert tcp $HOME_NET any -> [14.140.180.148] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753992/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_24; classtype:trojan-activity; sid:91753992; rev:1;) alert tcp $HOME_NET any -> [94.103.12.167] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753991/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_24; classtype:trojan-activity; sid:91753991; rev:1;) alert tcp $HOME_NET any -> [111.23.47.90] 9205 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753990/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_24; classtype:trojan-activity; sid:91753990; rev:1;) alert tcp $HOME_NET any -> [3.208.225.35] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753989/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_24; classtype:trojan-activity; sid:91753989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"skycurrent.clearatwind.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753988/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753988; rev:1;) alert tcp $HOME_NET any -> [27.102.137.81] 4695 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753791/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"geo-rock-sync-base.swiftcanyon.ru"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753826/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"swift-flow-node.swiftcanyon.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753827/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"154.94.237.240"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753833/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"silvernode.digital"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753872/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devel.reputationreviews.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753888/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backupahahahah.followz.st"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753900/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753900; rev:1;) alert tcp $HOME_NET any -> [68.183.45.80] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753950/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753950; rev:1;) alert tcp $HOME_NET any -> [46.101.85.248] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753951/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753951; rev:1;) alert tcp $HOME_NET any -> [45.55.77.196] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753952/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753952; rev:1;) alert tcp $HOME_NET any -> [137.184.111.42] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753953/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753953; rev:1;) alert tcp $HOME_NET any -> [161.35.171.177] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753954/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753954; rev:1;) alert tcp $HOME_NET any -> [142.93.141.170] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753962/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753962; rev:1;) alert tcp $HOME_NET any -> [159.89.46.211] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753963/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753963; rev:1;) alert tcp $HOME_NET any -> [146.190.227.147] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753964/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753964; rev:1;) alert tcp $HOME_NET any -> [167.172.205.188] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753965/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753965; rev:1;) alert tcp $HOME_NET any -> [167.99.42.180] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753966/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753966; rev:1;) alert tcp $HOME_NET any -> [167.71.73.197] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753967/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753967; rev:1;) alert tcp $HOME_NET any -> [64.227.37.151] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753968/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753968; rev:1;) alert tcp $HOME_NET any -> [198.211.115.123] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753969/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753969; rev:1;) alert tcp $HOME_NET any -> [137.184.215.213] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753970/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753970; rev:1;) alert tcp $HOME_NET any -> [138.197.125.215] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753971/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753971; rev:1;) alert tcp $HOME_NET any -> [206.189.177.137] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753977/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753977; rev:1;) alert tcp $HOME_NET any -> [185.182.187.10] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753987/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91753987; rev:1;) alert tcp $HOME_NET any -> [150.136.167.242] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753986/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753986; rev:1;) alert tcp $HOME_NET any -> [185.203.116.63] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753985/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753985; rev:1;) alert tcp $HOME_NET any -> [43.139.52.152] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753984/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753984; rev:1;) alert tcp $HOME_NET any -> [144.91.112.107] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753983/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91753983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hardconnect.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753982/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mentine-partytown.mentine.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753981/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"windglade.clearatwind.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753980/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"clearbreeze.clearatwind.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753979/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753979; rev:1;) alert tcp $HOME_NET any -> [89.124.77.140] 443 (msg:"ThreatFox Amatera botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753978/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91753978; rev:1;) alert tcp $HOME_NET any -> [124.198.132.197] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753976/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91753976; rev:1;) alert tcp $HOME_NET any -> [124.198.131.242] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753975/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91753975; rev:1;) alert tcp $HOME_NET any -> [2.58.56.134] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753974/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91753974; rev:1;) alert tcp $HOME_NET any -> [84.54.33.133] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753973/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91753973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"summit-cliff-sync.freshcliff.ru"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753972/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753972; rev:1;) alert tcp $HOME_NET any -> [43.98.243.193] 9999 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753961/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753961; rev:1;) alert tcp $HOME_NET any -> [154.92.16.219] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753960/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753960; rev:1;) alert tcp $HOME_NET any -> [154.92.16.219] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753959/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753959; rev:1;) alert tcp $HOME_NET any -> [154.92.16.219] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753958/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"geo-fresh-node.freshcliff.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753957/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"italiane.radio.fm"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753956/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrphadibro.in.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753955/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"memelab.com.br"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753949/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wind-cliff-monitor.freshcliff.ru"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753948/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"membros.chicomorbene.com.br"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753946/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"members.avlgi.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753944/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"js0qnoh0.alphasync.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753943/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"melomeloprint.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753941/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b113a978.alphasync.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753940/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fresh-cliff-high.freshcliff.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753939/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"melbourne.holidaywebsites.com.au"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753937/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"area-grove-sync.brightgrove.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753936/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"meimeiescort.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753935/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"meihachi.hachiojisakura.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753934/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753934; rev:1;) alert tcp $HOME_NET any -> [103.177.47.84] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753933/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753933; rev:1;) alert tcp $HOME_NET any -> [40.177.2.200] 55615 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753932/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753932; rev:1;) alert tcp $HOME_NET any -> [158.94.209.58] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753931/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753931; rev:1;) alert tcp $HOME_NET any -> [3.141.155.79] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753930/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753930; rev:1;) alert tcp $HOME_NET any -> [57.128.255.124] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753929/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753929; rev:1;) alert tcp $HOME_NET any -> [45.64.52.154] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753928/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753928; rev:1;) alert tcp $HOME_NET any -> [45.64.52.148] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753927/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753927; rev:1;) alert tcp $HOME_NET any -> [45.64.52.167] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753926/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753926; rev:1;) alert tcp $HOME_NET any -> [113.45.185.225] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753925/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"megashop.whmdesign.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753923/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"light-grove-hub.brightgrove.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753922/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"megamixindustria.com.br"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753921/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"megaexporter.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753919/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753919; rev:1;) alert tcp $HOME_NET any -> [102.159.97.234] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753918/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753918; rev:1;) alert tcp $HOME_NET any -> [212.71.250.244] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753917/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753917; rev:1;) alert tcp $HOME_NET any -> [46.246.6.3] 2003 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753916/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753916; rev:1;) alert tcp $HOME_NET any -> [45.38.42.189] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753915/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753915; rev:1;) alert tcp $HOME_NET any -> [43.226.125.90] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753914/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91753914; rev:1;) alert tcp $HOME_NET any -> [45.64.52.146] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753913/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_24; classtype:trojan-activity; sid:91753913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mega.tada.vn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753912/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"solar-grove-control.brightgrove.ru"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753911/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"medsteticrp.com.br"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753906/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"medigoods.de"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753901/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"medicurineindiapharmaceutical.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753898/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"medical.takadanobaba-seitai.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753895/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bright-grove-park.brightgrove.ru"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753894/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"data-clear-sync.clearfield.in.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753893/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"field-logic-base.clearfield.in.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753892/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mediacityinc.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753891/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"open-zone-monitor.clearfield.in.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753889/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"clear-field-view.clearfield.in.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753887/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753887; rev:1;) alert tcp $HOME_NET any -> [186.169.63.236] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753885/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753885; rev:1;) alert tcp $HOME_NET any -> [43.226.125.76] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753884/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"media-publisher.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753883/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_24; classtype:trojan-activity; sid:91753883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"urban-data-point.urbanridge.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753881/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"city-ridge-sync.urbanridge.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753880/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"med.alpixweb.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753879/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"high-rise-monitor.urbanridge.ru"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753878/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"urban-ridge-city.urbanridge.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753877/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mechanicnow.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753876/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"grass-land-node.silentmeadow.in.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753875/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f2i32y9f.silvernode.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753874/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zx45t73y.silvernode.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753873/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753873; rev:1;) alert tcp $HOME_NET any -> [41.105.137.137] 1605 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753871/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.namsioc.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753870/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753870; rev:1;) alert tcp $HOME_NET any -> [79.17.219.61] 6969 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753869/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753869; rev:1;) alert tcp $HOME_NET any -> [108.181.165.214] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753868/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753868; rev:1;) alert tcp $HOME_NET any -> [45.12.2.233] 443 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753867/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toprak.localto.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753865/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toprakk.localto.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753866/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753866; rev:1;) alert tcp $HOME_NET any -> [43.226.125.88] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753858/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753858; rev:1;) alert tcp $HOME_NET any -> [26.63.91.104] 1111 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753859/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753859; rev:1;) alert tcp $HOME_NET any -> [26.63.91.104] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753860/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753860; rev:1;) alert tcp $HOME_NET any -> [26.63.91.104] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753861/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753861; rev:1;) alert tcp $HOME_NET any -> [26.63.91.104] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753862/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753862; rev:1;) alert tcp $HOME_NET any -> [26.63.91.104] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753863/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753863; rev:1;) alert tcp $HOME_NET any -> [26.63.91.104] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753864/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753864; rev:1;) alert tcp $HOME_NET any -> [43.226.125.73] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753857/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atex.xlz.xembongtt.dev"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753848/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.xlz.xembongtt.dev"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753849/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.xlz.xembongtt.dev"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753850/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.xlz.xembongtt.dev"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753851/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.xlz.xembongtt.dev"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753852/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phishing.xlz.xembongtt.dev"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753853/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantri.xlz.xembongtt.dev"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753854/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.xlz.xembongtt.dev"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753855/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.xlz.xembongtt.dev"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753856/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753856; rev:1;) alert tcp $HOME_NET any -> [49.232.135.25] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753847/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753847; rev:1;) alert tcp $HOME_NET any -> [64.89.161.183] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753846/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nature-silent-sync.silentmeadow.in.net"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753845/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quiet-field-monitor.silentmeadow.in.net"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753844/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"silent-meadow-base.silentmeadow.in.net"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753843/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"me-story.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753842/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mdutyanaconsulting.co.za"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753841/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dune-logic-base.rapiddune.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753840/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mdrconstrucao.com.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753839/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"heat-sync-node.rapiddune.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753838/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"desert-storm-monitor.rapiddune.ru"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753837/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rapid-dune-sand.rapiddune.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753832/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"path-logic-unit.silverpath.in.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753831/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"clear-silver-route.silverpath.in.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753830/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"direct-access-line.silverpath.in.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753829/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"silver-path-way.silverpath.in.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753828/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"depth-canyon-monitor.swiftcanyon.ru"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753825/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sonorogeneticumkai.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753824/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nintendoroamumbrage.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753823/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"swift-canyon-pass.swiftcanyon.ru"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753821/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mathwise.com.ua"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753820/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maxamar.com.ua"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753819/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"main-quick-dock.quickharbor.in.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753818/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"transit-harbor-node.quickharbor.in.net"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753817/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mckleenz.com.au"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753816/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fast-port-logic.quickharbor.in.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753813/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mchb.net"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753812/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quick-harbor-unit.quickharbor.in.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753811/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753811; rev:1;) alert tcp $HOME_NET any -> [152.42.181.193] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753808/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753808; rev:1;) alert tcp $HOME_NET any -> [20.46.46.225] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753807/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753807; rev:1;) alert tcp $HOME_NET any -> [3.99.191.50] 50995 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753806/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753806; rev:1;) alert tcp $HOME_NET any -> [43.217.116.210] 15201 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753805/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753805; rev:1;) alert tcp $HOME_NET any -> [38.127.8.3] 8000 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753804/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753804; rev:1;) alert tcp $HOME_NET any -> [84.32.98.188] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753803/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753803; rev:1;) alert tcp $HOME_NET any -> [84.32.98.123] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753802/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753802; rev:1;) alert tcp $HOME_NET any -> [151.243.109.24] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753801/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753801; rev:1;) alert tcp $HOME_NET any -> [192.210.175.31] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753800/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753800; rev:1;) alert tcp $HOME_NET any -> [76.27.194.132] 4480 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753799/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753799; rev:1;) alert tcp $HOME_NET any -> [178.16.55.108] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753798/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753798; rev:1;) alert tcp $HOME_NET any -> [149.50.96.57] 22 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753797/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753797; rev:1;) alert tcp $HOME_NET any -> [185.208.156.187] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753796/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"swog3mgt.openmatrix.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753795/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"silver-zone-sync.silverfield.ru"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753794/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"open-field-data.silverfield.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753793/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agri-tech-monitor.silverfield.ru"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753792/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"silver-field-base.silverfield.ru"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753790/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"green-grove-sync.vividgrove.in.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753785/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"forest-logic-center.vividgrove.in.net"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753782/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tennesseefuneralhomes.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753781/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nature-grove-data.vividgrove.in.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753780/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"contatoplus.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753779/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vivid-grove-tree.vividgrove.in.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753778/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753778; rev:1;) alert tcp $HOME_NET any -> [38.69.244.101] 11999 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753777/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753777; rev:1;) alert tcp $HOME_NET any -> [47.252.78.68] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753776/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753776; rev:1;) alert tcp $HOME_NET any -> [111.31.243.247] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753775/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guce.yahoos.live"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753774/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gpt.yahoos.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753773/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753773; rev:1;) alert tcp $HOME_NET any -> [216.238.69.147] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753772/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_23; classtype:trojan-activity; sid:91753772; rev:1;) alert tcp $HOME_NET any -> [78.128.74.174] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753771/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753771; rev:1;) alert tcp $HOME_NET any -> [118.107.44.173] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753770/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753770; rev:1;) alert tcp $HOME_NET any -> [45.64.52.159] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753769/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"route-logic-sync.rapidtrail.in.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753768/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753768; rev:1;) alert tcp $HOME_NET any -> [3.218.7.158] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753767/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ground-trail-monitor.rapidtrail.in.net"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753766/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rngj2amn.openmatrix.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753765/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fast-track-sensor.rapidtrail.in.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753764/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rapid-trail-path.rapidtrail.in.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753762/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"arctic-data-sync-node.thenorthernvertex.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753733/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"peak-vertex-auth.thenorthernvertex.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753738/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"secure-logic-gateway.thenorthernvertex.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753739/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glow-ridge-light.glowridge.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753741/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mountain-glow-base.glowridge.ru"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753742/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5fa3.js"; depth:8; nocase; http.host; content:"ts4style.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753750/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ts4style.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753751/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"ts4style.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753752/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"orbit-dash-control.orbitdash.in.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753754/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"satellite-data-node.orbitdash.in.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753758/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"orbit-logic-base.orbitdash.in.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753760/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/best-youtube-seo-tools-2026/"; depth:29; nocase; http.host; content:"digiskillzz.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753761/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_23; classtype:trojan-activity; sid:91753761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"space-track-system.orbitdash.in.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753759/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maxiinox.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753757/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ridge-data-point.glowridge.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753756/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"summit-sync-unit.glowridge.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753755/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753755; rev:1;) alert tcp $HOME_NET any -> [176.65.132.90] 4444 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753753/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.155.222"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1753749/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753749; rev:1;) alert tcp $HOME_NET any -> [31.58.236.121] 25565 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753748/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hqqnoa.sa.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753747/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"curries.uk.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753746/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asas31313.dynuddns.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753745/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittycom.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753744/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753744; rev:1;) alert tcp $HOME_NET any -> [5.61.40.97] 45673 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753743/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mauerwerksverfestigung.de"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753740/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"central-navigation-hub.thenorthernvertex.com"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753734/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"matildestileinnovazione.it"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753729/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"forestfrond.wildfern.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753668/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"central-monitoring-hub.clearcrest.ru"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753672/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/de/"; depth:4; nocase; http.host; content:"support-acrotab.de"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753727/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mathpirate.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753726/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753726; rev:1;) alert tcp $HOME_NET any -> [13.49.226.59] 9999 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753723/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753723; rev:1;) alert tcp $HOME_NET any -> [13.49.226.59] 5349 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753722/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753722; rev:1;) alert tcp $HOME_NET any -> [84.38.129.14] 42000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753721/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753721; rev:1;) alert tcp $HOME_NET any -> [146.70.29.246] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753720/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"water-stream-analysis.steadybrook.in.net"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753716/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"steady-flow-brook.steadybrook.in.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753714/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coastal-storm-node.stormbay.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753713/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"deep-water-sensor.stormbay.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753712/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"weather-warning-system.stormbay.ru"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753711/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"connectspecial.us"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753707/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753707; rev:1;) alert tcp $HOME_NET any -> [45.83.31.116] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753706/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753706; rev:1;) alert tcp $HOME_NET any -> [45.88.186.216] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753705/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"storm-bay-watch.stormbay.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753704/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753704; rev:1;) alert tcp $HOME_NET any -> [45.83.31.104] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753703/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cliff-side-sync.brightcliff.in.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753701/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753701; rev:1;) alert tcp $HOME_NET any -> [45.88.186.34] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753700/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vertical-data-flow.brightcliff.in.net"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753699/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753699; rev:1;) alert tcp $HOME_NET any -> [45.83.31.132] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753698/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fangbear.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753697/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"high-wall-monitor.brightcliff.in.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753696/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"max-acknowledge.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753695/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bright-cliff-edge.brightcliff.in.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753694/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753694; rev:1;) alert tcp $HOME_NET any -> [77.91.65.19] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753693/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753693; rev:1;) alert tcp $HOME_NET any -> [79.110.49.135] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753692/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753692; rev:1;) alert tcp $HOME_NET any -> [13.37.84.33] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753691/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753691; rev:1;) alert tcp $HOME_NET any -> [134.122.173.29] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753689/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753689; rev:1;) alert tcp $HOME_NET any -> [43.226.125.85] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753688/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"main-cool-harbor-sys.coolharbor.ru"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753687/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ship-dock-control.coolharbor.ru"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753686/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cool-port-storage.coolharbor.ru"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753684/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ocean-harbor-gate.coolharbor.ru"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753683/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"street-level-sync.urbanstone.in.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753682/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"city-stone-track.urbanstone.in.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753681/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stone-solid-base.urbanstone.in.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753680/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"urban-infrastructure-node.urbanstone.in.net"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753678/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"main-crest-auth.clearcrest.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753677/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"high-altitude-sensor.clearcrest.ru"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753676/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"crest-logic-point.clearcrest.ru"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753675/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t0ijoagy.crystalbit.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753674/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bxp0c9rt.crystalbit.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753673/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fernshade.wildfern.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753671/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"greenwild.wildfern.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753670/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mastermanicure.com.br"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753669/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753669; rev:1;) alert tcp $HOME_NET any -> [185.241.208.173] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753667/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"silentdraft.quietwind.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753666/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753666; rev:1;) alert tcp $HOME_NET any -> [194.26.192.109] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753665/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"unaideg.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753563/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"withsuj.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753564/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"sfkjsdhfsdfsdhsken.cfd"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1753565/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.193.19.5"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1753566/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"138.124.53.228"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1753567/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753567; rev:1;) alert tcp $HOME_NET any -> [129.6.55.181] 2345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753569/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.203.61"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1753568/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753568; rev:1;) alert tcp $HOME_NET any -> [185.132.53.29] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753571/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-templates/five/five/pvqdq929bsx_a_d_m1n_a.php"; depth:49; nocase; http.host; content:"electrico.co.zw"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753547/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lhmgazksaccvarxoyo"; depth:19; nocase; http.host; content:"gatepass-corp.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753554/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_23; classtype:trojan-activity; sid:91753554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"softgust.quietwind.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753662/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753662; rev:1;) alert tcp $HOME_NET any -> [130.12.180.127] 25566 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753583/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_23; classtype:trojan-activity; sid:91753583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"lmstles-bootstrapped.click"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753630/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lmstles-bootstrapped.click"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753631/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.10.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753641/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_23; classtype:trojan-activity; sid:91753641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arkanix.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753661/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"calmbreeze.quietwind.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753660/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e-invoice.rar"; depth:14; nocase; http.host; content:"twmoi2002.tos-cn-shanghai.volces.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753657/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e-invoice.rar"; depth:14; nocase; http.host; content:"sdfw2026024.tos-cn-shanghai.volces.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753658/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/20260129/taxis_rx3001.7z"; depth:33; nocase; http.host; content:"twtaxgo.cn"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753659/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cliffbird.sparrowinrock.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753656/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"masterclass.amolkarale.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753655/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bqdrzbyq.cn"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753644/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"etaxtw.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753645/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lmaxjuyh.cn"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753646/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njhwuyklw.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753647/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taukeny.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753648/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taxfnat.tw"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753649/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taxhub.tw"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753650/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taxpro.tw"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753651/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tkooyvff.cn"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753652/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twswsb.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753653/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twtaxgo.cn"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753654/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rockfeather.sparrowinrock.in.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753643/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753643; rev:1;) alert tcp $HOME_NET any -> [45.156.25.5] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753642/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stonewing.sparrowinrock.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753639/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aidiyet.esb.org.tr"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753638/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bloomshift.takeoverspring.in.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753637/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"freshuprise.takeoverspring.in.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753636/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maskreyrhodes.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753635/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"springclaim.takeoverspring.in.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753634/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"masterclass.natalieabrahamdreamcatcher.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753633/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"echocharge.blowofmike.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753632/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753632; rev:1;) alert tcp $HOME_NET any -> [172.67.150.51] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753629/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753629; rev:1;) alert tcp $HOME_NET any -> [104.21.30.15] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753617/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753617; rev:1;) alert tcp $HOME_NET any -> [104.21.30.15] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753618/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753618; rev:1;) alert tcp $HOME_NET any -> [104.21.30.15] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753619/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753619; rev:1;) alert tcp $HOME_NET any -> [104.21.30.15] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753620/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753620; rev:1;) alert tcp $HOME_NET any -> [104.21.30.15] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753621/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753621; rev:1;) alert tcp $HOME_NET any -> [104.21.30.15] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753622/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753622; rev:1;) alert tcp $HOME_NET any -> [172.67.150.51] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753624/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753624; rev:1;) alert tcp $HOME_NET any -> [172.67.150.51] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753625/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753625; rev:1;) alert tcp $HOME_NET any -> [172.67.150.51] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753626/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753626; rev:1;) alert tcp $HOME_NET any -> [172.67.150.51] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753627/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753627; rev:1;) alert tcp $HOME_NET any -> [172.67.150.51] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753628/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"azzz8-37242.portmap.host"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753615/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/uwts7t8s"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753613/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-templates/five/five/pvqdq929bsx_a_d_m1n_a.php"; depth:49; nocase; http.host; content:"electrico.co.zw"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753611/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"83.142.209.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753610/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tr2026.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753609/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"47.242.144.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753608/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/744f169d372be841.php"; depth:21; nocase; http.host; content:"85.28.47.70"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753607/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c4e3d825c1654e79.php"; depth:21; nocase; http.host; content:"45.153.34.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753606/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753606; rev:1;) alert tcp $HOME_NET any -> [43.251.72.254] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753605/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753605; rev:1;) alert tcp $HOME_NET any -> [65.109.60.224] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753604/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753604; rev:1;) alert tcp $HOME_NET any -> [38.242.157.96] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753603/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_23; classtype:trojan-activity; sid:91753603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"micblast.blowofmike.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753602/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"windvoice.blowofmike.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753601/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"crimsonbeat.rockinred.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753600/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753600; rev:1;) alert tcp $HOME_NET any -> [216.9.225.213] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753599/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"banglash.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753598/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/finish"; depth:7; nocase; http.host; content:"38.180.242.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753597/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plugin"; depth:7; nocase; http.host; content:"38.180.242.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753591/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ping"; depth:5; nocase; http.host; content:"38.180.242.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753592/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/userinfo"; depth:9; nocase; http.host; content:"38.180.242.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753593/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/browser"; depth:8; nocase; http.host; content:"38.180.242.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753594/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/discord"; depth:8; nocase; http.host; content:"38.180.242.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753595/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/filesearch/req"; depth:15; nocase; http.host; content:"38.180.242.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753596/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rockember.rockinred.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753590/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"massmosquito.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753588/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"redstone.rockinred.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753587/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753587; rev:1;) alert tcp $HOME_NET any -> [47.237.103.1] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753580/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"it-pine-management.smartpine.ru"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753579/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753579; rev:1;) alert tcp $HOME_NET any -> [172.94.32.132] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753577/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bonaresupp.ddnsguru.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753576/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753576; rev:1;) alert tcp $HOME_NET any -> [103.83.86.58] 14321 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753575/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753575; rev:1;) alert tcp $HOME_NET any -> [172.111.169.11] 5671 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753573/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753573; rev:1;) alert tcp $HOME_NET any -> [84.247.136.17] 5671 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753574/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753574; rev:1;) alert tcp $HOME_NET any -> [151.241.154.193] 7007 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753572/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753572; rev:1;) alert tcp $HOME_NET any -> [31.57.147.191] 8041 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753561/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753561; rev:1;) alert tcp $HOME_NET any -> [198.23.175.46] 4078 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753560/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"martymarn.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753559/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"central-pine-node.smartpine.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753558/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smart-timber-track.smartpine.ru"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753556/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mascholl.de"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753555/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wood-processing-unit.smartpine.ru"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753552/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wild-leaf-trace.wildfern.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753551/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marvingarcia.se"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753550/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753550; rev:1;) alert tcp $HOME_NET any -> [102.117.175.85] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753549/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zehnder.ru.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753548/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"examinerapplied.in.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753546/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nature-logic-base.wildfern.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753544/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"obigold123.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753539/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"forest-deep-sync-node.wildfern.ru"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753538/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"botanical-research-archive.wildfern.ru"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753535/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quiet-air-monitor.quietwind.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753534/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marshallcreativedesign.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753533/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"weather-station-data.quietwind.ru"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753532/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"silent-flow-node.quietwind.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753531/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"atmospheric-sensor-unit.quietwind.ru"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753529/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marshallspest.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753528/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753528; rev:1;) alert tcp $HOME_NET any -> [95.216.251.48] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753521/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753521; rev:1;) alert tcp $HOME_NET any -> [74.0.48.84] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753522/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753522; rev:1;) alert tcp $HOME_NET any -> [65.21.250.195] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753523/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753523; rev:1;) alert tcp $HOME_NET any -> [89.167.65.4] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753524/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753524; rev:1;) alert tcp $HOME_NET any -> [23.88.67.147] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753525/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753525; rev:1;) alert tcp $HOME_NET any -> [148.251.65.223] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753526/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753526; rev:1;) alert tcp $HOME_NET any -> [148.251.65.222] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753508/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753508; rev:1;) alert tcp $HOME_NET any -> [135.181.98.63] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753509/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753509; rev:1;) alert tcp $HOME_NET any -> [157.180.15.186] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753510/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753510; rev:1;) alert tcp $HOME_NET any -> [135.181.34.124] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753511/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753511; rev:1;) alert tcp $HOME_NET any -> [46.225.171.28] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753512/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753512; rev:1;) alert tcp $HOME_NET any -> [46.225.178.44] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753513/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753513; rev:1;) alert tcp $HOME_NET any -> [5.78.188.7] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753514/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753514; rev:1;) alert tcp $HOME_NET any -> [46.225.191.65] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753515/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753515; rev:1;) alert tcp $HOME_NET any -> [74.0.48.206] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753516/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753516; rev:1;) alert tcp $HOME_NET any -> [148.251.65.221] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753517/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753517; rev:1;) alert tcp $HOME_NET any -> [188.245.87.229] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753518/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753518; rev:1;) alert tcp $HOME_NET any -> [151.247.22.215] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753519/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753519; rev:1;) alert tcp $HOME_NET any -> [77.42.28.70] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753520/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753520; rev:1;) alert tcp $HOME_NET any -> [148.251.65.219] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753495/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753495; rev:1;) alert tcp $HOME_NET any -> [74.0.42.207] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753496/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753496; rev:1;) alert tcp $HOME_NET any -> [74.0.42.146] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753497/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753497; rev:1;) alert tcp $HOME_NET any -> [89.167.65.44] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753498/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753498; rev:1;) alert tcp $HOME_NET any -> [74.0.32.92] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753499/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753499; rev:1;) alert tcp $HOME_NET any -> [148.251.65.216] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753500/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753500; rev:1;) alert tcp $HOME_NET any -> [148.251.65.220] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753501/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753501; rev:1;) alert tcp $HOME_NET any -> [95.217.239.119] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753502/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753502; rev:1;) alert tcp $HOME_NET any -> [148.251.65.218] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753503/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753503; rev:1;) alert tcp $HOME_NET any -> [74.0.32.93] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753504/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753504; rev:1;) alert tcp $HOME_NET any -> [155.117.232.229] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753505/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753505; rev:1;) alert tcp $HOME_NET any -> [94.130.47.219] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753506/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753506; rev:1;) alert tcp $HOME_NET any -> [95.217.8.152] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753507/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753507; rev:1;) alert tcp $HOME_NET any -> [155.117.232.231] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753493/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753493; rev:1;) alert tcp $HOME_NET any -> [142.132.202.218] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753494/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glo.gadgetwalabd.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753479/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glo.alpinematters.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753480/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rak.gofood.com.bd"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753481/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sns.gofood.com.bd"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753482/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xbx.gofood.com.bd"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753483/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"psn.gofood.com.bd"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753484/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saw.gofood.com.bd"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753485/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glo.gofood.com.bd"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753486/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rak.bettereveryball.co.uk"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753487/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sns.bettereveryball.co.uk"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753488/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xbx.bettereveryball.co.uk"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753489/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"psn.bettereveryball.co.uk"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753490/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saw.bettereveryball.co.uk"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753491/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glo.bettereveryball.co.uk"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753492/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"glo.bettereveryball.co.uk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753478/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"glo.gofood.com.bd"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753472/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rak.bettereveryball.co.uk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753473/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sns.bettereveryball.co.uk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753474/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"xbx.bettereveryball.co.uk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753475/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"psn.bettereveryball.co.uk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753476/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"saw.bettereveryball.co.uk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753477/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"23.88.67.147"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753465/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"148.251.65.223"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753466/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rak.gofood.com.bd"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753467/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sns.gofood.com.bd"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753468/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"xbx.gofood.com.bd"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753469/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"psn.gofood.com.bd"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753470/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"saw.gofood.com.bd"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753471/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"151.247.22.215"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753458/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"77.42.28.70"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753459/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.251.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753460/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.48.30"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753461/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.48.84"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753462/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.21.250.195"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753463/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"89.167.65.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753464/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.225.178.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753453/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.78.188.7"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753454/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.225.191.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753455/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"148.251.65.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753456/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.245.87.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753457/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.130.47.219"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753446/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.8.152"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753447/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"148.251.65.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753448/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"135.181.98.63"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753449/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"157.180.15.186"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753450/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"135.181.34.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753451/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.225.171.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753452/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"148.251.65.216"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753440/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"148.251.65.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753441/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.239.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753442/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"148.251.65.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753443/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.93"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753444/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"155.117.232.229"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753445/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/https://155.117.232.231/"; depth:25; nocase; http.host; content:"glo.alpinematters.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753433/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"142.132.202.218"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753434/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"148.251.65.219"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753435/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.42.207"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753436/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.42.146"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753437/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"89.167.65.44"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753438/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.92"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753439/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561198735736086"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753430/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pr55ii"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753431/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"glo.gadgetwalabd.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753432/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bright-field-stat.brightvale.ru"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753429/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"region-sync-base.brightvale.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753427/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloudproxy.link"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753426/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maroseyka4.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753425/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apdevhost512.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753423/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"defragglerupdate.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753424/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753424; rev:1;) alert tcp $HOME_NET any -> [172.86.110.149] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753422/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/captcha.php"; depth:12; nocase; http.host; content:"64.95.12.162"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753421/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apdevhost512.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753420/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"light-valley-hub.brightvale.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753419/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753419; rev:1;) alert tcp $HOME_NET any -> [217.77.12.57] 8041 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753418/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"start-review-myacc.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753417/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753417; rev:1;) alert tcp $HOME_NET any -> [172.245.195.233] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753416/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"solar-energy-control.brightvale.ru"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753415/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vitalstatisticsunit.bloodsubsequen.in.net"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753414/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753414; rev:1;) alert tcp $HOME_NET any -> [193.26.115.51] 8041 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753413/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"relay.windowupdateservice.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753412/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task_wait.php"; depth:14; nocase; http.host; content:"tenbravoid.icu"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753411/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"priorityflowcontrol.bloodsubsequen.in.net"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753410/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipper_api.php"; depth:16; nocase; http.host; content:"tenbravoid.icu"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1753409/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tenbravoid.icu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753408/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rapid-stream-data.rapidbrook.ru"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753407/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753407; rev:1;) alert tcp $HOME_NET any -> [2.58.56.46] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753406/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"no.windowupdateservice.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753405/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"read.rojocapllc.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753404/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753404; rev:1;) alert tcp $HOME_NET any -> [45.94.31.102] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753403/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"read.bidiwallc.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753402/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753402; rev:1;) alert tcp $HOME_NET any -> [124.198.131.149] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753401/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oauth.openvpnet.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753400/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753400; rev:1;) alert tcp $HOME_NET any -> [46.101.164.151] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753399/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.sessionvalidator.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753398/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"compliancemetrics.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753396/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sessionvalidator.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753397/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753397; rev:1;) alert tcp $HOME_NET any -> [45.94.31.109] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753395/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"markusfeilner.de"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753394/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753394; rev:1;) alert tcp $HOME_NET any -> [45.83.31.75] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753393/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753393; rev:1;) alert tcp $HOME_NET any -> [64.23.248.252] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753392/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753392; rev:1;) alert tcp $HOME_NET any -> [45.94.31.192] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753391/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753391; rev:1;) alert tcp $HOME_NET any -> [45.93.31.198] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753390/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.webinfos.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753389/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753389; rev:1;) alert tcp $HOME_NET any -> [188.23.168.81] 8000 (msg:"ThreatFox Eye Pyramid botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753388/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753388; rev:1;) alert tcp $HOME_NET any -> [193.26.115.126] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753387/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"water-network-node.rapidbrook.ru"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753386/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cap.dnamain.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753385/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marktrenkle.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753384/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753384; rev:1;) alert tcp $HOME_NET any -> [142.93.43.96] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753383/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"relay.sevfrtdxs.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753382/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753382; rev:1;) alert tcp $HOME_NET any -> [188.253.110.4] 8041 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753381/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753381; rev:1;) alert tcp $HOME_NET any -> [91.206.169.134] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753380/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"con.spiraltrain.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753379/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"con.doiauth.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753378/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753378; rev:1;) alert tcp $HOME_NET any -> [45.154.98.229] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753377/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753377; rev:1;) alert tcp $HOME_NET any -> [124.198.132.186] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753376/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753376; rev:1;) alert tcp $HOME_NET any -> [45.88.186.236] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753375/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"markschutter.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753374/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753374; rev:1;) alert tcp $HOME_NET any -> [124.198.131.50] 8443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753373/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753373; rev:1;) alert tcp $HOME_NET any -> [45.88.186.67] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753372/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753372; rev:1;) alert tcp $HOME_NET any -> [45.154.98.164] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753371/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vo230hqh.cybervox.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753370/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b4svvivz.cybervox.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753369/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753369; rev:1;) alert tcp $HOME_NET any -> [124.198.132.54] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753368/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753368; rev:1;) alert tcp $HOME_NET any -> [124.198.131.52] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753367/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fast-flow-point.rapidbrook.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753366/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753366; rev:1;) alert tcp $HOME_NET any -> [45.88.186.115] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753365/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jamesmullertech.live"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753364/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753364; rev:1;) alert tcp $HOME_NET any -> [192.159.99.119] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753363/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plsleavemypanelalone.pleasepitymymamaleavemyscalone.one"; depth:55; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753362/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marklinssenwebdesign.nl"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753361/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hydrological-collector.rapidbrook.ru"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753360/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marketvaluesolutions.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753359/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753359; rev:1;) alert tcp $HOME_NET any -> [45.88.186.47] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753358/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"creatorthread.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753357/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"winterupdatestack.makeoverwinter.in.net"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753355/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753355; rev:1;) alert tcp $HOME_NET any -> [85.11.167.122] 8888 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753354/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753354; rev:1;) alert tcp $HOME_NET any -> [5.61.40.97] 8000 (msg:"ThreatFox xmrig botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753353/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753353; rev:1;) alert tcp $HOME_NET any -> [43.226.125.71] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753352/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753352; rev:1;) alert tcp $HOME_NET any -> [172.94.44.154] 7771 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753350/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lowkey1337.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753349/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753349; rev:1;) alert tcp $HOME_NET any -> [45.155.69.48] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753348/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"partyfriends.cfd"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753344/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spybaseball.space"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753345/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pictureporter.cfd"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753346/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crediteducation.cfd"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753347/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marketingparaescritores.es"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753342/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hewwbkp.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753339/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ingraiv.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753340/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neglecm.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753341/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bowlina.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753337/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"parabg.club"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753338/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753338; rev:1;) alert tcp $HOME_NET any -> [82.157.184.100] 8080 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1753336/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marketingmoc.com.br"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753335/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"austincoindealer.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753333/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"californiatireshop.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753332/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"germansnipers.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753331/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"economyassistant.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753330/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cherryartist.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753329/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boosterjuices.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753328/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"technicalchief.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753327/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"climatecontrolunit.makeoverwinter.in.net"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753324/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91753324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bennettarbitration.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753311/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eventocontaduriafce.viajandoalcielo.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753312/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gconfisur.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753313/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"legalecono.com.touruvaevinho.tur.br"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753314/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rastroconversas.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753315/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mousefair.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753316/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"borchard-dietrich.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753317/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cbardbarns.com.fcpmezzanine.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753318/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lucentfox.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753319/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lexema-rpa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753320/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sdfu.org.ua"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753321/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tarpaulinshouse.co.uk"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753322/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"msgtrcrane.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753293/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"estate-recipe.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753294/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"haachan.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753295/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rachelsvineyardkc.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753296/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"estacaopequenaalemanha.com.br"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753297/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bl555.gratis"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753298/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"omaxtrans.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753299/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sri-lanka-traumurlaub.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753300/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"camersoftware.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753301/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"r-lien.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753302/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"m8ke.agency"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753303/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"craftmasters.co.uk"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753304/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"panplanning.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753305/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tsfs.com.my"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753306/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mav-hf-kita-kk.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753307/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mikovtraining.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753308/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"odishanewgovtjob.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753309/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"radiohostbrasil.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753310/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"oeluu.de"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753276/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pmbtar.ae"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753277/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sagarpatil.bhsupportgt8.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753278/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cittadellese.sitonuovo.eu"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753279/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"subasanat.ir"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753280/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"renwebdesign.xsrv.jp"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753281/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"asobi-plus.jp"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753282/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"miserugrayhair.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753283/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hitonowa-salon.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753284/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cockpit.hartsimagineering.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753285/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"utazznapolyba.hu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753286/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"printlife.vn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753287/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"intermanagers.com.br.touruvaevinho.tur.br"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753288/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"solidarityinsaya.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753289/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ehcsils-id.ch"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753290/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"totalsecllc.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753291/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"houstoncomputerrepairgeeks.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753292/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rajstonex.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753257/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"builder.cannazipbags.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753258/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"saaratechnepal.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753259/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bulk-url-opener.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753260/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"coctrecongtrinh.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753261/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nathanhowe.nathanhowemusic.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753262/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wp2.unairdedemo.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753263/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"we.flourish.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753264/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lakestreetsolar.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753265/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"epilepsygolf.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753266/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cryptolaughs.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753267/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"a8a8a.net"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753268/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"buyqualityfirst.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753269/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kevius.se"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753270/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kubet.boo"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753271/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"edex.dev"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753272/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xsdanang.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753273/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"go237.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753274/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rovo.sa"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753275/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mauisoft.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753240/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"artwix.ca"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753241/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blog.cementah.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753242/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bestincestsexgames.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753243/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trendsgh.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753244/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"enor.cloud"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753245/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"einfach-sup.de"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753246/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"naglisgym.lt"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753247/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"freqbitsolutions.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753248/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dise-global.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753249/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jyoushin-solar.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753250/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"manshinseyaku.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753251/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"syedamahnoorjaffery.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753252/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"upperdecklakes.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753253/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hijabbandung.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753254/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zamek.ilza.pl"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753255/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shiga-hagukumikai.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753256/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tokushimakoken.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753225/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"couvreur-clamart-toiture.fr"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753226/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"888casinoreview.vip"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753227/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cymage-media.de"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753228/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"modernnutraguide.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753229/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"crudohouse.art"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753230/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"traders-journey.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753231/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kachionna.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753232/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zestsolutions.ch"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753233/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"npo-aura.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753234/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webek.co.uk"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753235/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"platinumpainters.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753236/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"varuna.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753237/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shienkenkyu.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753238/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ironsolution.by"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753239/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"grrrowth.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753209/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"clever-llc.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753210/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zarkons.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753211/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"daimakkk.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753212/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"creditscoreelite.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753213/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pourtapomme.ch"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753214/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jamstaphotography.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753215/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"piumondo.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753216/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sysdein.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753217/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bhagabankarinstitute.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753218/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"warteeth.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753219/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"futbol-11.es"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753220/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pucambu.it"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753221/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"oknaprof.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753222/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"godvibes.us"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753223/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"food.probill.in"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753224/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wealthruproperty.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753190/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"uscentacademy.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753191/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"takublog2020.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753192/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sophiaev.de"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753193/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zubora-shufudiet.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753194/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"flightplanoriginal.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753195/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"frozensexgames.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753196/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"profissionaisdevendas.com.br"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753197/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"injuryarbitration.drdatasaver.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753198/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"utama777.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753199/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"matrimoniosconproposito.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753200/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"optics.oxyappscr.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753201/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"marinabrizzibraus.it"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753202/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"candourtankers.ae"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753203/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dynamicedge-llc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753204/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"saikicleaning.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753205/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"palaghiacciocatania.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753206/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"moneypond.in"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753207/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"diabezill.com.br"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753208/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"proveoriente.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753171/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trd.vn"; depth:6; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753172/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"allsportsandwellness.ca"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753173/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shutter.myaccessio.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753174/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"atmasolucoes.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753175/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"onlysix.com.br"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753176/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hifoison.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753177/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"landman.africa"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753178/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fiqueforadacaixa.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753179/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tech247.com.vn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753180/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"all-life-flower.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753181/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cardloan-bank.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753182/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tiltdesigns.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753183/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"columbusveteransfc.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753184/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"keonhacai.cheap"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753185/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"avciauto.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753186/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"istanbulstreetphotography.webek.org"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753187/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lawwizafrica.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753188/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"autonom.com.pl"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753189/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aimania2024.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753153/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"offerchi.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753154/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"99sbobet.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753155/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sr-bb-recruit.jp"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753156/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bybtacademy.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753157/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"proeole-ne.ch"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753158/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"music2.eq.ee"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753159/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"new.bvmparish.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753160/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"doccontact.space"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753161/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"green-foods.in"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753162/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.espacodocdigital.com.br"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753163/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"handy-duple.co.jp"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753164/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chinmayapublicschool.co.in"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753165/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ami-thai.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753166/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pasnicenko.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753167/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"club388.world.slot918kiss.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753168/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qh88.luxury"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753169/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"seiho-ippankatei.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753170/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"seo-hit.cz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753135/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fact-2012.jp"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753136/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stelaconvites.com.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753137/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cortosengrande.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753138/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"azcaringservices.co.uk"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753139/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"masato-tech.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753140/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smile-life-yits.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753141/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"anadasinkyu.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753142/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aquariumacademy.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753143/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"3neko3.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753144/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"harukanishitani.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753145/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"uniquedreambuilders.in"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753146/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pc.whitesky.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753147/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gidcomp.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753148/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"23win.coach"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753149/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"guardhive.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753150/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"white-tag.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753151/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sakurab21.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753152/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lumadigital.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753116/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"selamat123.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753117/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rahul-chind.novacrm.ca"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753118/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zain.novacrm.ca"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753119/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dvasilaki.dynacomp2.eu"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753120/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"new.amadehlaziz.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753121/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lorriedeenacaplan.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753122/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"padelsportacademy.app"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753123/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sparklehomecleaningcompany.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753124/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nutritionadvicehub.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753125/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nithani.co.uk"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753126/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mmoo.vet"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753127/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"training-uat.rapidascent.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753128/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"baby-mine0821.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753129/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"myfandollars.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753130/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nisourcetech.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753131/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"keyframe.com.co"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753132/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"peppersghost.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753133/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"23wincom.agency"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753134/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"janvilleroofing.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753097/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lindtmobile.co.za"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753098/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mayinhue.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753099/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zero-start.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753100/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"oberfohring.umzug-milbertshofen.de"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753101/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"saikou.sbs"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753102/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ir.karpirajobs.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753103/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"highondots.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753104/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"00c29c34fd.nxcli.io"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753105/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"venkateshwarmines.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753106/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sendmeavoucher.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753107/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"opnoit.prospy.com.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753108/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sunrise-f.co.jp"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753109/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"expertsbyexperience.knightcott.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753110/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tyrafast.se"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753111/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bandbsmengine.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753112/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aabacus-bestattungen.de"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753113/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bote.company"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753114/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"homeexplore.novacrm.ca"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753115/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"edm.phm-hotels.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753080/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lollipoplaundry.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753081/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"taukr.lt"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753082/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"atxsa.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753083/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sessionsverificates.live"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753084/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"samurai-car-jpn.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753085/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"edanurcakmak.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753086/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hands-japan.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753087/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nurselnc.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753088/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"papaburrito.ch"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753089/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gembetoffermy2.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753090/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ithroofingremodelingllc.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753091/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sayaracentral.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753092/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"clinicafisiotrat.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753093/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"csirtennisclub.org.za"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753094/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"adcom.co.za"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753095/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"autostikeri.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753096/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"3squaredco.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753062/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"itoyuu-meguro.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753063/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"greyfashiondesign.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753064/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quimicaelda.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753065/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mojow-mobiliers.ch"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753066/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"globeerp.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753067/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cashloopmagazine.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753068/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"medicine.gsinds.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753069/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"manabi-station-fukushima.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753070/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smartphotoedit.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753071/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vizyons.dev"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753072/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"delix.misecretaria.com.ar"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753073/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"whichphablet.highheelsplace.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753074/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ilvisa.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753075/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cymage-media.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753076/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vanda.edu.kh"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753077/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"serv-in.fr"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753078/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"echo-pr.co.uk"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753079/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tennis-bandol.fr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753045/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"numerix360.pro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753046/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zeloar.com.br"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753047/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"acosgalvao.com.br"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753048/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"comres.co.za"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753049/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"elopharma.com.br"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753050/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rorbaxprojects.co.za"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753051/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wellnesswisewhispers.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753052/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"elizabethpastry.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753053/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shiningstarschildcare.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753054/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bhargavahospital.in"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753055/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"invitriol.be"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753056/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"win.prowebsite.live"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753057/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"madeireiradunorte.com.br"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753058/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"espace-mandarine.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753059/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hartvoorregelen.nl"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753060/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cryptoclinic.london"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753061/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"innov8league.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753030/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"africanalphacc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753031/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aalvesimoveisrp.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753032/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"holzbau-weiner.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753033/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hxingsoft.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753034/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vyaparionline.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753035/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eso.fwf.temporary.site"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753036/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"onari-aikido.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753037/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alsaqrdelivery.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753038/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"itoyuu.tokyo"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753039/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"315kou.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753040/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qexmz.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753041/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"etpur.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753042/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"asobibasyo.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753043/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"appirockyinn.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753044/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"test.beloslav.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753015/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"teddyclub.su"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753016/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"waterpurificationsvcs.com.mobimark.net"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753017/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vizecommunications.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753018/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vidyaniketanpublicschools.arbrands.in"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753019/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"unfair.alt-ruist.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753020/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"top10bars.com.au"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753021/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tomaru.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753022/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"technologieshub.adskonic.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753023/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"syedbrands.latestbedding.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753024/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"swat.welfaretaiwan.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753025/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"techfabintl.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753026/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"operationendgame.live"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753027/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sparklemyhome.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753028/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tophygiene.co.uk"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753029/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nutraforyou.com.suavidaadois.com.br"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753001/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"healthrelate.wisefunders.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753002/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jrqsistemas.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753003/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eri-salon.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753004/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"elmeka.lt"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753005/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"breakout.gsinds.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753006/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gmb.3squared360.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753007/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yukkou.sbs"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753008/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yoshiro11.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753009/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yama-to-cha.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753010/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xs785590.xsrv.jp"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753011/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yildirimkitapligi.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753012/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yamatosteel.jp"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753013/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zooguide.blog"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753014/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"v6bet.boo"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752989/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"unf.alt-ruist.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752990/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tresna.bel-technology.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752991/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"travelfork.highheelsplace.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752992/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"track.truckporter.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752993/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tifarahbemestar.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752994/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"1controller.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752995/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"1controller.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752996/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vascofinancial.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752997/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"teste.mpcservicos.com.br"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752998/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"deeptechcentre.ug"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752999/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"d8.cryptocurrencyinfo.today"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1753000/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91753000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zoom.tecnosimbra.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752972/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yumekanaumade.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752973/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yukkou555.sbs"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752974/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ys.onaritest-1.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752975/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"youanditrips.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752976/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xn--vck8crc320vuua.jp"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752977/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"worldvacationtour.adskonic.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752978/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wp.postanidostavljac.rs"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752979/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wo.cementah.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752980/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"website-planet.gr"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752981/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vitralweb.com.br"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752982/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vigor-14.jp"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752983/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"velvetyield.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752984/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vasco.wisefunders.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752985/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vasco.media"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752986/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"va.jvrjobs.co.za"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752987/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"v1.yhelwah.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752988/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sinq-biyou.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752960/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stockexchangejournal.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752961/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"simanys.yln.mfs.temporary.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752962/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shatalarabgroup.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752963/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ineox.pl"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752964/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rising-s.co.jp"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752965/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"garrygolden.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752966/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"first-film.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752967/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"check-list.jp"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752968/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vascoinsurance.wisefunders.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752969/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"youngdesignerscollective.idconsults.net"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752970/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xinnomix.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752971/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"amoatibaia.com.br"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752951/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rewardsplus.phm-hotels.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752952/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"amenom.jp"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752953/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tongdaixeghepyenlinh.io.vn"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752954/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"denshikeiyaku-hikaku.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752955/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"widenews.in"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752956/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vafglobal.com.br"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752957/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wanchai-cleaning.com.63944387-4-20190715204404.webstarterz.com"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752958/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"uilfpl.bz.it"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752959/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wp.ttqm.com.sg"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752943/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"v6bet.fan"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752944/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wiseconsolidation.wisefunders.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752945/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"transportadoraguacu.com.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752946/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"staging.wastedisposalsolutions.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752947/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"soloecommerce.it"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752948/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smtp.laminetjes.nl"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752949/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"seiken-naisoushiage.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752950/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"roumanie.sandierrot.fr"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752939/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"red-eyesecurity.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752940/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"roku.jnishop.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752941/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yukkou2.sbs"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752942/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aboutpearlharbor.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752932/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sotavpn.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752933/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"code.hybclient.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752934/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"evanderupdate.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752935/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"watabaran.se"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752936/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vendamaiscomthiago.ads360imob.com.br"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752937/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"suzuya-basketball-dog-house.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752938/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"2controller.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752915/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"4controller.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752916/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"6controller.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752917/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"5controller.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752918/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"7controller.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752919/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"8controller.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752920/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"9controller.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752921/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"10controller.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752922/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"2controller.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752923/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"4controller.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752924/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"3controller.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752925/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"5controller.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752926/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"6controller.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752927/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"7controller.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752928/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"8controller.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752929/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"9controller.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752930/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"10controller.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752931/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"liblink.fr"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752899/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tnsa.jp"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752900/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"worldvacationtour.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752901/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.physioxrsize.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752902/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"addon-xinnomixcom.xinnomix-filme.ch"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752903/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"panamawebhosting.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752904/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"winnipeglandscapingpros.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752905/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kongogenie.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752906/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"oneononefriendship.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752907/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sambaza.co"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752908/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kodamablog.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752909/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"academie.habg.ci"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752910/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dcamargobetoneiras.com.br"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752911/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lumis.lt"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752912/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hghlaw.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752913/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"3controller.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752914/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"republic-crane-k-s.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752879/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rcmceberio.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752880/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yudai1207pt.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752881/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zmdservice.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752882/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wildparker.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752883/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wurzelwerk-agentur.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752884/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webgrade.kusherp.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752885/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wolkensegler.design"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752886/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"weconger.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752887/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ureyjai.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752888/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wartajaya.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752889/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"74.45.23.34.bc.googleusercontent.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752890/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"om-engineering.co.in"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752891/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lazerepilasyonfiyatlar.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752892/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vpnkit.tech"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752893/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"phcolo.ph"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752894/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trading-lots-money.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752895/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ptashka.bar"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752896/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kilab-gaming.github.io"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752897/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wootest.lifos.com.tr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752898/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rdipartners.com.au"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752862/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"totobi.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752863/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"postcard-ua.com.ua"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752864/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alertblitz.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752865/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"creditreview.sg"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752866/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"miotech.be"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752867/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"premiumdiagnostics.pk"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752868/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kontel.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752869/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"iamdavidachom.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752870/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"durable-coating.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752871/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alpha2omegabh.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752873/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"turskeserijee-net-qqff.loadserve.dev"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752874/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"controlpcaps.com.br"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752875/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"craneworldasia.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752876/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"track2studio.com.br"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752877/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pakdailyupdate.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752878/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"naturedrop.ch"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752845/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yoshika.co.jp"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752846/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yatagarasu1123.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752847/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"walta.zergaw.et"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752848/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"weenme.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752849/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zimoveyskaya.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752850/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xgr.pmc.mybluehost.me"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752851/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"view-point.co.jp"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752852/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"timwinders.retirevillage.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752853/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vereindaheim.at"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752854/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tomtomu27.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752855/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wave-n.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752856/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webanga.com.nascentedocantao.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752857/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"testsite.wholearmormedia.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752858/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"test.admin.topliefer.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752859/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"test4.kusherp.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752860/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"standart-uk.kz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752861/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"website-927187ff.khl.exm.mybluehost.me"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752827/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"web.serenichron.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752828/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shop.intermusica.pe"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752829/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stephan-mielke.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752830/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"robertevans.retirevillage.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752831/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"service.master-ok.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752832/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"safridi.ictclients.site"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752833/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ppsac.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752834/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"private.kusherp.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752835/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pola-koko288.baby"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752836/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"primaveraveiculos.com.imagineweb.dev.br"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752837/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qualitylivingpm.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752838/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chromium.report.tech.b55081fa-9cd1-48c2-95d4-efe.crashnotify.org"; depth:64; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752839/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"app.quietnetpro.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752840/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"app.getauroravpn.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752841/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chromium.report.tech.b21822va-72if4-j3ar-k4618.verifycores.com"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752842/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gogisich.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752843/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"spyuganda.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752844/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"arise.spiderwebzdesign.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752810/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blog-ecommerce.es"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752811/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bos.webserver5.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752812/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dyag.brobro.ai"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752813/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dk-decor.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752814/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"elex.codeberry.in"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752815/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"erp.bditconsultancy.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752816/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"foxfinancas.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752817/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ftp.agrigentotourist.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752818/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gomygo.kusherp.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752819/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jadd.draftus.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752820/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"interstate.myinvestment.properties"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752821/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"astrologiahindu.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752822/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.nmreitgroup.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752823/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"threenetragroup.kusherp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752824/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tylerbosch.retirevillage.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752825/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"website-cd9a3473.khl.exm.mybluehost.me"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752826/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.newday-gt.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752791/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lp.rainhadosconsorcios.com.br"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752792/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.imeldaespinoza.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752793/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.genesseevalleygolfcourse.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752794/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.destinationecuador.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752795/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"release-notes.us"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752796/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"partner.naturigin.hu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752797/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mrsillucia.de"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752798/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"concretestampingandstaining.brandonwyatt.website"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752799/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"evolvedesign.co.za"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752800/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sitepapelaria.edsure.com.br"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752801/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"san-antonio.concretestampingandstaining.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752802/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.talkagency.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752803/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.hostwala.in"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752804/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.qbb.nmi.mybluehost.me"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752805/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.smartbowls.co.za"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752806/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trodatec.ch"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752807/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"captioto.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752808/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"augustoilian.cybercol.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752809/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gamboozarecover.crearhosting.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752773/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gereja.neoxdev.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752774/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"herbertbrewerbooks.com.laneacquisition.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752775/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"iglesia.efata.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752776/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kft.kusherp.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752777/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.casadostoldoslimeira.com.br"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752778/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jcptacticalllc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752779/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webiz-magazine.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752780/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tileroofinglasvegas.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752781/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tamara.scrappinmonkeys.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752782/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smartpromotions.seanborgmans.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752783/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"orkayacademy.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752784/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"peach.prgss.dev"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752785/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"odva.wbinnova.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752786/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"obchod.moravskysommelier.cz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752787/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.reclaimyourfunds.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752788/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.rodasaopaulo.com.br"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752789/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.pvu.gbh.mybluehost.me"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752790/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aiselfie.cam"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752755/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mac-os-helper.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752756/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"comocerditos.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752757/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ccera-icar.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752758/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bo.cerisecosmetique.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752759/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"goarnsds.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752760/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gorscts.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752761/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"greecpt.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752762/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bnr.international"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752763/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"admin.jnishop.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752764/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"autoconfig.oikiastays.perspectiveunity.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752765/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aeromodelosconcepcion.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752766/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bravepolice.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752767/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cupom.prgss.dev"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752768/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dev.ghcoop.vn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752769/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"destinationecuador.com.tropiceco.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752770/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"epigrams.co.uk"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752771/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fiscaldynamicswest.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752772/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"brickmechanics.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752753/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"12aedehyj4dg79vd6w00fck854y3vun4cqgj.t3.storage.dev"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752754/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752754; rev:1;) alert tcp $HOME_NET any -> [94.156.152.23] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752602/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verify-to-continue-id-ktpos-260216.html"; depth:40; nocase; http.host; content:"12aedehyj4dg79vd6w00fck854y3vun4cqgj.t3.storage.dev"; depth:51; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752609/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_23; classtype:trojan-activity; sid:91752609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asdasq"; depth:7; nocase; http.host; content:"basilicros.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752657/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bowlina.cyou"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1752658/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asfase"; depth:7; nocase; http.host; content:"broguenko.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752659/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fssdaw"; depth:7; nocase; http.host; content:"familyriwo.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752660/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asdase"; depth:7; nocase; http.host; content:"hammernew.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752661/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ccvfd"; depth:6; nocase; http.host; content:"heavylussy.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752662/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ascasef"; depth:8; nocase; http.host; content:"homuncloud.su"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752663/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cascasc"; depth:8; nocase; http.host; content:"izzardtow.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752664/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asds"; depth:5; nocase; http.host; content:"whitepepper.su"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752665/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brickmechanics.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752669/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_23; classtype:trojan-activity; sid:91752669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c.sh"; depth:5; nocase; http.host; content:"130.12.180.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752695/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; nocase; http.host; content:"36.66.108.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752749/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752749; rev:1;) alert tcp $HOME_NET any -> [43.153.195.44] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752750/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-templates/five/five/fre.php"; depth:31; nocase; http.host; content:"electrico.co.zw"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752748/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"frostprotectionsys.makeoverwinter.in.net"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752746/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"seasonaltrendlog.makeoverwinter.in.net"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752745/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fresh-bio-center.freshhill.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752744/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752744; rev:1;) alert tcp $HOME_NET any -> [188.163.112.25] 19155 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752743/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"justin-subcategories.with.playit.plus"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752742/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"astech.ru.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752741/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ku3933net.city"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752740/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ivkb.sa.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752739/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rg8369.in.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752738/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cn3789net.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752737/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trymeonce-63682.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752736/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hill-side-view-point.freshhill.ru"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752735/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eco-system-track.freshhill.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752732/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agricultural-monitoring.freshhill.ru"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752720/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"impactanalysisview.globalstimul.in.net"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752717/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"strategicdatasink.globalstimul.in.net"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752716/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dynamicmarketflow.globalstimul.in.net"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752715/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"universalreachpoint.globalstimul.in.net"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752714/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752714; rev:1;) alert tcp $HOME_NET any -> [43.209.19.2] 36218 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752713/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752713; rev:1;) alert tcp $HOME_NET any -> [187.156.70.182] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752712/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752712; rev:1;) alert tcp $HOME_NET any -> [118.107.44.175] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752711/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hard-rock-base.vividrock.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752710/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lg1kpu12.microzen.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752709/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2lrej7f0.microzen.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752708/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"main-monitoring-station.vividrock.ru"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752707/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fkeasfodsfkefoapdsofkp-33083.portmap.host"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752706/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752706; rev:1;) alert tcp $HOME_NET any -> [47.236.41.46] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752705/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752705; rev:1;) alert tcp $HOME_NET any -> [81.19.137.207] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752704/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752704; rev:1;) alert tcp $HOME_NET any -> [91.92.243.97] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752703/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752703; rev:1;) alert tcp $HOME_NET any -> [118.107.44.179] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752702/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752702; rev:1;) alert tcp $HOME_NET any -> [45.64.52.196] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752701/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_23; classtype:trojan-activity; sid:91752701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"core-stone-vault.vividrock.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752700/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"geological-survey-point.vividrock.ru"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752697/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"intervalchecknode.swallowtime.in.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752696/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"historyflowsystem.swallowtime.in.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752694/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"temporallogicunit.swallowtime.in.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752693/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chronosyncmanager.swallowtime.in.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752692/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752692; rev:1;) alert tcp $HOME_NET any -> [16.78.46.212] 119 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752689/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752689; rev:1;) alert tcp $HOME_NET any -> [16.78.46.212] 44819 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752690/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752690; rev:1;) alert tcp $HOME_NET any -> [149.28.242.44] 4321 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752688/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_23; classtype:trojan-activity; sid:91752688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"public-gateway-alpha.urbanlake.ru"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752687/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"central-hub-access.urbanlake.ru"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752686/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"city-management-portal.urbanlake.ru"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752685/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752685; rev:1;) alert tcp $HOME_NET any -> [212.3.142.177] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752682/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbb.mercadolivreshop.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752681/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752681; rev:1;) alert tcp $HOME_NET any -> [83.142.209.3] 8089 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752680/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752680; rev:1;) alert tcp $HOME_NET any -> [185.199.52.247] 8081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752679/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahtam.dynv6.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752678/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752678; rev:1;) alert tcp $HOME_NET any -> [45.64.52.154] 8080 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752677/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_22; classtype:trojan-activity; sid:91752677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"analytics.qzz.io"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752676/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kugo.it.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752675/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_22; classtype:trojan-activity; sid:91752675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xlyxmzlj2.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752674/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_22; classtype:trojan-activity; sid:91752674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"infrastructure-service.urbanlake.ru"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752673/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"processvalidation.implementnega.in.net"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752672/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coreintegratednode.implementnega.in.net"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752671/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"applicationbackup.implementnega.in.net"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752668/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"deploymentsystems.implementnega.in.net"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752667/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"monitoringservice.snoozetrap.in.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752666/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"backgroundprocess.snoozetrap.in.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752656/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"manutecaowebsites.creativexspot.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752654/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"silenttriggerbase.snoozetrap.in.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752653/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"activestatushub.snoozetrap.in.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752652/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752652; rev:1;) alert tcp $HOME_NET any -> [165.245.186.179] 2222 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752648/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auth.mercadolivreshop.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752647/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752647; rev:1;) alert tcp $HOME_NET any -> [141.140.0.147] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752646/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752646; rev:1;) alert tcp $HOME_NET any -> [143.92.60.13] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752645/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752645; rev:1;) alert tcp $HOME_NET any -> [20.173.41.169] 4443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752644/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"technicalsupportbox.aircraftmodel.in.net"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752643/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"navigationsysunit.aircraftmodel.in.net"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752642/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"manolocorretora.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752641/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aerospaceviewport.aircraftmodel.in.net"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752640/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maniariup.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752639/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flightcontrolcenter.aircraftmodel.in.net"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752638/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"remotedatachannel.intricessaucy.in.net"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752637/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752637; rev:1;) alert tcp $HOME_NET any -> [72.61.158.123] 3001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752636/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752636; rev:1;) alert tcp $HOME_NET any -> [69.167.10.201] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752635/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"godisgreatmygood.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752632/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greatmindworkingunison.duckdns.org"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752633/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"revlonducussdmg.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752634/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752634; rev:1;) alert tcp $HOME_NET any -> [45.93.31.198] 53084 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752631/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_22; classtype:trojan-activity; sid:91752631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"win-system-update.me"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752630/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"globalsynchandler.intricessaucy.in.net"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752629/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752629; rev:1;) alert tcp $HOME_NET any -> [91.202.3.5] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752628/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_22; classtype:trojan-activity; sid:91752628; rev:1;) alert tcp $HOME_NET any -> [65.153.151.164] 10011 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752627/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_22; classtype:trojan-activity; sid:91752627; rev:1;) alert tcp $HOME_NET any -> [185.45.195.85] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752626/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_22; classtype:trojan-activity; sid:91752626; rev:1;) alert tcp $HOME_NET any -> [18.253.110.70] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752625/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_22; classtype:trojan-activity; sid:91752625; rev:1;) alert tcp $HOME_NET any -> [144.7.95.161] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752624/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_22; classtype:trojan-activity; sid:91752624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"advancedsystrace.intricessaucy.in.net"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752623/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"complexlogicstream.intricessaucy.in.net"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752622/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mananta.es"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752621/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"internalnodepoint.lubginany.in.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752620/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5z6y8mkfe.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752619/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"secureaccesspoint.lubginany.in.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752618/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"idk123456789012-51385.portmap.host"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752617/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"networkdatamanager.lubginany.in.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752616/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"centralcloudservice.lubginany.in.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752614/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"money.bullishcoder.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752613/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ultranode.ultranet.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752612/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"checkstatus.approvkrup.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752610/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"applynow.approvkrup.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752608/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"finalstep.approvkrup.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752607/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"magiablackgold.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752605/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"authpoint.approvkrup.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752598/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.1756520.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752597/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752597; rev:1;) alert tcp $HOME_NET any -> [172.96.14.105] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752596/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752596; rev:1;) alert tcp $HOME_NET any -> [144.31.203.91] 6703 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752595/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"staffbase.chelnperson.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752594/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"workforce.chelnperson.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752593/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"humanunit.chelnperson.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752592/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"leadgroup.chelnperson.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752591/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"utilsync.baskadubutil.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752590/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"servicedesk.baskadubutil.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752589/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maintool.baskadubutil.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752588/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tasknode.baskadubutil.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752587/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"timeloop.hourillusion.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752586/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nfront.php"; depth:11; nocase; http.host; content:"eroticaforfree.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752583/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nback.php"; depth:10; nocase; http.host; content:"eroticaforfree.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752584/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"143.92.60.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752538/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"watchpoint.hourillusion.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752582/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"api-microservice-us4.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752565/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"api-microservice-us5.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752566/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"api-microservice-us6.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752567/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"api-microservice-us7.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752568/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"api-microservice-us8.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752569/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"api-microservice-us9.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752570/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alphazero10-endscape.cc"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752571/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alphazero1-endscape.cc"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752572/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alphazero2-endscape.cc"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752573/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alphazero3-endscape.cc"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752574/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alphazero4-endscape.cc"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752575/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alphazero5-endscape.cc"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752576/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alphazero6-endscape.cc"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752577/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alphazero7-endscape.cc"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752578/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alphazero8-endscape.cc"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752579/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alphazero9-endscape.cc"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752580/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alphazero-endscape.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752581/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"immortal-service.cc"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752546/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"critical-service.cc"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752547/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fileless-market.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752548/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"indeanapolice.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752549/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"globalsnn2-new.cc"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752550/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"globalsnn10-new.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752551/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"globalsnn1-new.cc"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752552/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"globalsnn3-new.cc"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752553/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"globalsnn4-new.cc"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752554/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"globalsnn5-new.cc"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752555/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"globalsnn6-new.cc"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752556/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"globalsnn7-new.cc"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752557/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"globalsnn8-new.cc"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752558/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"globalsnn9-new.cc"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752559/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"globalsnn-new.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752560/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"api-microservice-us1.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752561/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"api-microservice-us10.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752562/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"api-microservice-us2.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752563/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"api-microservice-us3.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752564/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752564; rev:1;) alert tcp $HOME_NET any -> [196.75.55.17] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752545/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752545; rev:1;) alert tcp $HOME_NET any -> [51.85.37.194] 35005 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752544/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752544; rev:1;) alert tcp $HOME_NET any -> [168.119.50.34] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752543/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752543; rev:1;) alert tcp $HOME_NET any -> [3.104.47.154] 11613 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752542/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shiftview.hourillusion.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752541/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bkns-prtner.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752540/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752540; rev:1;) alert tcp $HOME_NET any -> [74.118.172.190] 5938 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752539/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"daytrace.hourillusion.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752537/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"soultrack.afterlifetap.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752536/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"beyondbase.afterlifetap.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752534/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vaer-cdn-3.sbs"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752411/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"image-hoster11.sbs"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752412/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"image-hoster11.sbs"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752413/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nstv-css-styles-19.sbs"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752415/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dltucra.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752416/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"dltucra.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752417/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.zip"; depth:9; nocase; http.host; content:"dltucra.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752418/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.php"; depth:9; nocase; http.host; content:"dltucra.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752419/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/configpack.zip"; depth:15; nocase; http.host; content:"dltucra.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752420/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"nstv-css-styles-19.sbs"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752414/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"vaer-cdn-3.sbs"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752410/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"store-image.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752408/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"store-image.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752409/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ldveriz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752422/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server.php"; depth:11; nocase; http.host; content:"ldveriz.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752423/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/helpu.php"; depth:10; nocase; http.host; content:"dltucra.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752421/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.zip"; depth:9; nocase; http.host; content:"dlderi.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752424/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/configpack.zip"; depth:15; nocase; http.host; content:"dlderi.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752425/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752425; rev:1;) alert tcp $HOME_NET any -> [45.90.163.37] 56999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752437/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_22; classtype:trojan-activity; sid:91752437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; nocase; http.host; content:"139.59.119.89"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752473/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_22; classtype:trojan-activity; sid:91752473; rev:1;) alert tcp $HOME_NET any -> [176.65.148.52] 1999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752521/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_22; classtype:trojan-activity; sid:91752521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"176.65.148.52.ptr.pfcloud.network"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752522/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_22; classtype:trojan-activity; sid:91752522; rev:1;) alert tcp $HOME_NET any -> [176.65.148.52] 1914 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752523/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_22; classtype:trojan-activity; sid:91752523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"spiritlink.afterlifetap.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752533/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"finalgate.afterlifetap.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752532/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hardrock.solidyears.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752531/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"longroad.solidyears.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752530/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"basepoint.solidyears.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752529/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oldcore.solidyears.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752528/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"laststand.shratsurvivor.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752526/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wildhunt.shratsurvivor.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752525/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hardlife.shratsurvivor.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752524/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"heropath.shratsurvivor.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752519/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shipnode.detachfrigate.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752517/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cursednetwork.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752514/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"povermnebrat.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752515/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752515; rev:1;) alert tcp $HOME_NET any -> [194.169.160.12] 7832 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752513/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752513; rev:1;) alert tcp $HOME_NET any -> [198.135.54.88] 7000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752512/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752512; rev:1;) alert tcp $HOME_NET any -> [185.196.8.208] 8000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752511/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752511; rev:1;) alert tcp $HOME_NET any -> [47.238.234.29] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752509/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xswdeu.za.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752510/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"autofinder.in.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752508/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oceanpoint.detachfrigate.in.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752504/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vesselhub.detachfrigate.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752502/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"darkport.detachfrigate.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752500/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"calcunit.arithmethair.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752498/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mathlogic.arithmethair.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752497/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"digitflow.arithmethair.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752495/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"corenumber.arithmethair.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752494/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"soundreview.auditsounder.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752493/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"verifyecho.auditsounder.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752491/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"checktone.auditsounder.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752490/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"joieshk7.hexalink.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752489/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"59xgjeq2.hexalink.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752488/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"compactvillage.koreansmall.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752487/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752487; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 40515 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752486/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"littlemarket.koreansmall.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752485/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"minihouse.koreansmall.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752482/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brewshield.brannysuppress.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752481/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maltguard.brannysuppress.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752480/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"graincontrol.brannysuppress.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752478/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"baseportion.inherentrecip.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752477/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"innaterecipe.inherentrecip.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752476/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coreformula.inherentrecip.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752475/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mapseeker.exploratsinyuk.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752474/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752474; rev:1;) alert tcp $HOME_NET any -> [147.45.245.42] 20325 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752472/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_22; classtype:trojan-activity; sid:91752472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"83.142.209.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752471/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_22; classtype:trojan-activity; sid:91752471; rev:1;) alert tcp $HOME_NET any -> [38.60.220.157] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752469/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_22; classtype:trojan-activity; sid:91752469; rev:1;) alert tcp $HOME_NET any -> [118.122.8.155] 9308 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752468/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_22; classtype:trojan-activity; sid:91752468; rev:1;) alert tcp $HOME_NET any -> [4.247.145.101] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752466/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_22; classtype:trojan-activity; sid:91752466; rev:1;) alert tcp $HOME_NET any -> [46.225.85.130] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752467/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_22; classtype:trojan-activity; sid:91752467; rev:1;) alert tcp $HOME_NET any -> [34.253.217.85] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752463/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_22; classtype:trojan-activity; sid:91752463; rev:1;) alert tcp $HOME_NET any -> [172.86.121.104] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752464/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_22; classtype:trojan-activity; sid:91752464; rev:1;) alert tcp $HOME_NET any -> [123.31.11.7] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752465/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_22; classtype:trojan-activity; sid:91752465; rev:1;) alert tcp $HOME_NET any -> [5.189.140.26] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752462/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_22; classtype:trojan-activity; sid:91752462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"trailquest.exploratsinyuk.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752461/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pathfinder.exploratsinyuk.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752460/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"snowcrown.orichsnow.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752458/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r8ada0zp.novacode.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752456/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bozqk0kq.novacode.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752455/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"richfrost.orichsnow.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752454/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maxalaprod-64489.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752453/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752453; rev:1;) alert tcp $HOME_NET any -> [54.177.211.190] 1335 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752451/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752451; rev:1;) alert tcp $HOME_NET any -> [102.117.162.31] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752450/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752450; rev:1;) alert tcp $HOME_NET any -> [172.111.232.241] 5671 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752449/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752449; rev:1;) alert tcp $HOME_NET any -> [4.193.136.158] 808 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752448/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752448; rev:1;) alert tcp $HOME_NET any -> [2.56.109.9] 777 (msg:"ThreatFox Unknown Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752447/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"goldflake.orichsnow.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752443/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rainbarrier.batenshutter.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752439/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"woodenlatch.batenshutter.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752438/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752438; rev:1;) alert tcp $HOME_NET any -> [62.102.148.130] 42830 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752436/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752436; rev:1;) alert tcp $HOME_NET any -> [165.232.45.1] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752435/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tbh.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752433/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vub.us.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752434/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slot-indonesia.jp.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752432/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thunderray.sa.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752431/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stormpanel.batenshutter.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752430/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"366kf0hf.up12file.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752429/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thespacemachines.st"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752406/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752406; rev:1;) alert tcp $HOME_NET any -> [91.92.241.12] 6969 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752404/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752404; rev:1;) alert tcp $HOME_NET any -> [47.57.1.21] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752400/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_22; classtype:trojan-activity; sid:91752400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"odbsasjd.upgrade4file.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752399/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oprc9zre.upgrade4file.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752398/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tightfeather.condenfeather.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751542/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91751542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"clearscript.purecode.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751544/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91751544; rev:1;) alert tcp $HOME_NET any -> [206.123.145.26] 1999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751589/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_22; classtype:trojan-activity; sid:91751589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mac-os-helper.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752001/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_22; classtype:trojan-activity; sid:91752001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dutycourier.servantakeaway.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752259/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brightflash.neondata.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752330/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aiselfie.cam"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752335/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_22; classtype:trojan-activity; sid:91752335; rev:1;) alert tcp $HOME_NET any -> [103.177.47.99] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752396/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752396; rev:1;) alert tcp $HOME_NET any -> [54.147.162.161] 1911 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752397/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752397; rev:1;) alert tcp $HOME_NET any -> [18.212.63.218] 9142 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752394/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752394; rev:1;) alert tcp $HOME_NET any -> [58.244.42.108] 10001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752395/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752395; rev:1;) alert tcp $HOME_NET any -> [103.177.47.91] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752392/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752392; rev:1;) alert tcp $HOME_NET any -> [103.177.47.96] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752393/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wazuh.kokanddu.uz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752391/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752391; rev:1;) alert tcp $HOME_NET any -> [91.219.237.71] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752390/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752390; rev:1;) alert tcp $HOME_NET any -> [172.111.213.101] 1962 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752389/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0uwsxbye.forward3cross.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752388/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yhhpswoa.forward3cross.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752387/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"steppejourney.nomadsuppurat.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752386/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752386; rev:1;) alert tcp $HOME_NET any -> [122.225.30.63] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752384/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752384; rev:1;) alert tcp $HOME_NET any -> [150.139.136.86] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752383/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752383; rev:1;) alert tcp $HOME_NET any -> [5.89.184.32] 49151 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752382/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752382; rev:1;) alert tcp $HOME_NET any -> [1.94.40.59] 65534 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752381/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cheapnfljerseys-fromchina.us.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752380/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tribalpath.nomadsuppurat.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752379/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"desertwander.nomadsuppurat.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752378/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ringplank.callresined.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752377/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ojqxtq3l.ironrock.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752374/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mi9h8uf4.ironrock.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752373/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"resinwood.callresined.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752372/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"egtwax65c.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752370/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"toleskiki.ddnsgeek.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752369/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_22; classtype:trojan-activity; sid:91752369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"swgtcampus0101.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752368/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_22; classtype:trojan-activity; sid:91752368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"amsholdings.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752367/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_22; classtype:trojan-activity; sid:91752367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"megastream.ultranet.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752366/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"superlink.ultranet.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752364/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"highrange.ultranet.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752363/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fastexchange.fastlink.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752362/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rapidcore.fastlink.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752361/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"speednode.fastlink.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752360/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quickpath.fastlink.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752359/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752359; rev:1;) alert tcp $HOME_NET any -> [85.11.167.122] 443 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752356/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752356; rev:1;) alert tcp $HOME_NET any -> [103.177.47.64] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752355/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752355; rev:1;) alert tcp $HOME_NET any -> [202.61.137.217] 4444 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752354/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752354; rev:1;) alert tcp $HOME_NET any -> [102.98.95.49] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752353/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752353; rev:1;) alert tcp $HOME_NET any -> [149.50.96.57] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752351/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752351; rev:1;) alert tcp $HOME_NET any -> [103.83.86.58] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752352/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752352; rev:1;) alert tcp $HOME_NET any -> [198.135.54.85] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752350/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752350; rev:1;) alert tcp $HOME_NET any -> [192.227.219.75] 54301 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752349/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xoeyxsife-33031.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752346/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752346; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 40701 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752345/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752345; rev:1;) alert tcp $HOME_NET any -> [79.107.150.203] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752344/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752344; rev:1;) alert tcp $HOME_NET any -> [46.246.86.9] 2003 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752343/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752343; rev:1;) alert tcp $HOME_NET any -> [94.242.52.79] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752342/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752342; rev:1;) alert tcp $HOME_NET any -> [8.131.77.227] 817 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752341/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcenevinew.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752340/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/group/panelnew/gate.php"; depth:24; nocase; http.host; content:"eyota.com.sg"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752337/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"neonlink.neondata.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752336/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"citypulse.neondata.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752332/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glowbase.neondata.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752331/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mildnode.mildtech.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752329/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752329; rev:1;) alert tcp $HOME_NET any -> [108.130.208.104] 44818 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752328/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752328; rev:1;) alert tcp $HOME_NET any -> [16.63.109.40] 3445 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752326/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752326; rev:1;) alert tcp $HOME_NET any -> [13.221.157.7] 15443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752327/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752327; rev:1;) alert tcp $HOME_NET any -> [168.245.203.177] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752325/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_22; classtype:trojan-activity; sid:91752325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"easyflow.mildtech.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752324/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lightrun.mildtech.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752323/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"softtech.mildtech.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752322/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"safestack.purecode.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752321/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"primecode.purecode.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752320/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qa6l1lsk.moonpath.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752316/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yaso8456.moonpath.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752315/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"logicdev.purecode.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752314/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752314; rev:1;) alert tcp $HOME_NET any -> [60.28.219.78] 46314 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752313/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.weboss.in"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752312/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752312; rev:1;) alert tcp $HOME_NET any -> [3.108.67.17] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752311/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752311; rev:1;) alert tcp $HOME_NET any -> [83.142.209.3] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752310/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752310; rev:1;) alert tcp $HOME_NET any -> [83.142.209.22] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752309/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752309; rev:1;) alert tcp $HOME_NET any -> [137.184.243.247] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752308/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752308; rev:1;) alert tcp $HOME_NET any -> [209.90.225.186] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752307/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752307; rev:1;) alert tcp $HOME_NET any -> [95.31.217.8] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752306/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cleanbase.purecode.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752305/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zenpoint.zenbyte.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752303/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"clearmind.zenbyte.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752302/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"softlogic.zenbyte.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752301/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m67fvuhb.darkpine.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752300/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4yf2q0xe.darkpine.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752299/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bitlight.zenbyte.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752298/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"streamhub.fluxnode.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752297/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"corepulse.fluxnode.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752296/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"databeat.fluxnode.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752295/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gridlink.tinygrid.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752294/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"microsync.tinygrid.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752291/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smallcell.tinygrid.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752289/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smartpower.tinygrid.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752286/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"freshwind.breezefarm.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752282/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updater"; depth:8; nocase; http.host; content:"waterpressureelement.cc"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752281/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updater"; depth:8; nocase; http.host; content:"waterpressureelement.cc"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752280/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerlinesecurecpuauthdefaultdle.php"; depth:40; nocase; http.host; content:"cv437232.tw1.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1752279/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752279; rev:1;) alert tcp $HOME_NET any -> [13.245.117.39] 57722 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752277/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752277; rev:1;) alert tcp $HOME_NET any -> [18.116.27.185] 7170 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752278/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752278; rev:1;) alert tcp $HOME_NET any -> [13.245.117.39] 5222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752276/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752276; rev:1;) alert tcp $HOME_NET any -> [144.172.116.141] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752274/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752274; rev:1;) alert tcp $HOME_NET any -> [35.173.190.86] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752275/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752275; rev:1;) alert tcp $HOME_NET any -> [77.238.232.188] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752273/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752273; rev:1;) alert tcp $HOME_NET any -> [144.31.106.169] 8000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752272/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752272; rev:1;) alert tcp $HOME_NET any -> [31.220.100.221] 8081 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752271/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"farmnode.breezefarm.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752270/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"greenfield.breezefarm.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752269/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coolbreeze.breezefarm.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752268/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"servetray.servantakeaway.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752266/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"taskrunner.servantakeaway.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752265/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.yahoos.live"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752264/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752264; rev:1;) alert tcp $HOME_NET any -> [89.168.42.140] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752263/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752263; rev:1;) alert tcp $HOME_NET any -> [83.142.209.9] 81 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752262/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752262; rev:1;) alert tcp $HOME_NET any -> [83.142.209.9] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752261/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752261; rev:1;) alert tcp $HOME_NET any -> [185.103.101.217] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752260/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_21; classtype:trojan-activity; sid:91752260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fieldleader.placewinner.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752258/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752258; rev:1;) alert tcp $HOME_NET any -> [83.142.209.22] 81 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752257/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_21; classtype:trojan-activity; sid:91752257; rev:1;) alert tcp $HOME_NET any -> [3.143.125.137] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752256/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_21; classtype:trojan-activity; sid:91752256; rev:1;) alert tcp $HOME_NET any -> [188.23.171.50] 8000 (msg:"ThreatFox Eye Pyramid botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752255/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_21; classtype:trojan-activity; sid:91752255; rev:1;) alert tcp $HOME_NET any -> [124.95.181.69] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752254/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_21; classtype:trojan-activity; sid:91752254; rev:1;) alert tcp $HOME_NET any -> [114.215.127.122] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752253/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_21; classtype:trojan-activity; sid:91752253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"areavictor.placewinner.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752252/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"spotchamp.placewinner.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752250/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rankworker.murasubordin.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752249/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"colonyorder.murasubordin.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752248/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"antregime.murasubordin.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752245/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dadsadss-30374.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752244/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vanillacakeyoutube-52569.portmap.host"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752242/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyaiylzj6.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752243/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"priceindex.barygameter.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752241/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marketmeter.barygameter.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752240/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tradegauge.barygameter.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752239/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blindcorner.avoidingglaz.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752238/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sidestare.avoidingglaz.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752237/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shyvision.avoidingglaz.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752058/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"megachannel.ultranet.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752057/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"superspan.ultranet.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752056/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hypermesh.ultranet.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752055/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oakfather.dubniakpops.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752054/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"woodpatron.dubniakpops.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752053/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"forestelder.dubniakpops.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752052/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rapidgate.fastlink.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752051/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"speedport.fastlink.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752049/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quickbridge.fastlink.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752048/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"radiuswall.diameterimpassab.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752047/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"spanblock.diameterimpassab.ru"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752046/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"widebarrier.diameterimpassab.ru"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752045/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lumencode.neondata.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752043/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752043; rev:1;) alert tcp $HOME_NET any -> [51.44.165.12] 6002 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752040/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752040; rev:1;) alert tcp $HOME_NET any -> [51.44.165.12] 19952 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752041/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752041; rev:1;) alert tcp $HOME_NET any -> [51.44.165.12] 49502 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752042/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752042; rev:1;) alert tcp $HOME_NET any -> [151.247.25.231] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1752039/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glowstack.neondata.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752038/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brightarray.neondata.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752037/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fatevision.soothsaying.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752036/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oraclevoice.soothsaying.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752035/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"futurewhisper.soothsaying.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752002/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gentlesys.mildtech.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1752000/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91752000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qfm9nqbc.windford.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751999/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a8d7vrrf.windford.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751998/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/projects/json"; depth:14; nocase; http.host; content:"james.newtonking.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751990/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2000/xmlns/"; depth:12; nocase; http.host; content:"www.w3.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751991/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nursultan"; depth:10; nocase; http.host; content:"discord.gg"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751992/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf"; depth:60; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751993/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cabinet"; depth:8; nocase; http.host; content:"nursultan.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751994/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/products"; depth:9; nocase; http.host; content:"nursultan.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751995/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nursultanclient"; depth:16; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751996/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/@official_nursultanclient"; depth:26; nocase; http.host; content:"www.youtube.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751997/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"b0tnett.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751988/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bot.dead.my.id"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751989/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.wzsw5.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751981/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.xeoc.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751982/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.xfqjrms.bond"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751983/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.xn--essncesensorial-tnb.com.br"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751984/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.xtmmm.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751985/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.yakutianguide.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751986/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.yinmen-luxeron.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751987/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.southstconstruction.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751951/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.spjpantp.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751952/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.stidq2kmxg.cc"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751953/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.studyvibez.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751954/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.superspectiva.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751955/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.sushiswap-app.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751956/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.t7qt8rj9xg.cc"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751957/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.taier-rooftile.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751958/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.teatiger.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751959/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.techihub.store"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751960/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.thebinpvd.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751961/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.thkifry.bond"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751962/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.thx15213w3.cc"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751963/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tk7.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751964/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tnlfy5.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751965/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.triplehunter.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751966/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tripscan21.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751967/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ts6g19v.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751968/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ucuuj829346.luxe"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751969/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.uexgdf.vip"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751970/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.uspcs.click"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751971/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.valencia-motogp.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751972/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.vaxfreemilk.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751973/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ved-my-semya-smotret.online"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751974/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.w7z81v.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751975/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.wacareerplus.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751976/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.watakyu-kaimin.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751977/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.wguwbnq792.vip"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751978/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.winhubwin.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751979/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.wwwph143ph.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751980/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.oinsjet.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751921/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ombhhy5.sbs"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751922/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.omprimmoonremetboo.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751923/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.opnhqw.sbs"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751924/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.or6l8v1wb.pro"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751925/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.orakuxafolidv.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751926/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.outletbelle.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751927/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.oxelys-solution.fr"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751928/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.pabitechnology.us"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751929/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.paciscion.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751930/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.parcitogolf.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751931/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.pc-china-mile.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751932/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.pealenik.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751933/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.piaohua2.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751934/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.pin-up8k5.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751935/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.pinup-casino-zerkalo.buzz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751936/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.pixelkonnstructor.store"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751937/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.qzsy74.sbs"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751938/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.racekapital.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751939/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ratamento.gripe"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751940/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.remi62.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751941/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.revistadomomento.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751942/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rfrcjpn.bond"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751943/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rntpr8460f.cfd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751944/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rostabilon.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751945/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rwd.exchange"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751946/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.sakuramassages.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751947/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.serviceplus.pro"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751948/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.shadowluck.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751949/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.shop808culture.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751950/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.krczibo.bond"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751896/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.limitlesssupplements.shop"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751897/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.lunrycas.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751898/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.lxwph.cfd"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751899/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.m-nabu.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751900/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.m0496kf.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751901/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.macrovectoralliance.sbs"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751902/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.mafiyacoffee.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751903/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.maka69.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751904/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.manilaplayplay.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751905/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.marylandguild.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751906/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.mehmetarhan.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751907/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.miacheap.flights"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751908/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.molivarnet.asia"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751909/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.muokamasyfose.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751910/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.myoakviewbenefits.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751911/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.n1ph1s.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751912/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.natravamed.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751913/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.newiberiacarwrecklawyer.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751914/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nihao626260.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751915/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nobunosuke.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751916/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nolachronicle.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751917/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.notguilty.sk"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751918/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ntbeinhd16.cfd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751919/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.o4ev6y.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751920/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.furrybeehive.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751865/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.garrisonfxc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751866/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.gensetresmi.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751867/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.giftprints.cl"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751868/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.glamourexpert.live"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751869/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.goatover.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751870/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.guttercleaningburlingtonma.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751871/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.gvewm.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751872/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.h0j6lbe.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751873/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hardfeelingsblog.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751874/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.health-prader-willi-nyz6s7.live"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751875/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.heetmehtaofficial.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751876/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.help.ventures"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751877/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hsck.pub"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751878/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hubsmartproperties.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751879/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hxcwyj.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751880/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.hyeokus.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751881/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ierrepironet.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751882/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.igjewelry.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751883/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.impulsvendrell.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751884/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.info-premierballers.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751885/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.isnevrc.bond"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751886/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.iwfp9o.vip"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751887/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.jennyfercoox.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751888/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.jess-sol.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751889/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.jexedyu7.pro"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751890/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.jnanadeepaexpert.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751891/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.jordnmusic.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751892/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.kevinolinger.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751893/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.kisahkasihsatwa.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751894/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.kodagen.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751895/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bvcki.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751838/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.c800ah.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751839/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.charmpulse.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751840/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.chxmpion.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751841/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.clavebathhouse.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751842/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.clearflowlearing.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751843/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.conterahip.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751844/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.curation.today"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751845/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.d0re26amc.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751846/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.darkxpixel.store"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751847/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.dayaneejoaquim.com.br"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751848/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.decisintrepid.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751849/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.demingworld.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751850/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.dldaljq.bond"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751851/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.drwn.ch"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751852/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.dxmestudioacademia.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751853/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ecovitalformulasbf.info"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751854/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.elytraonline.store"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751855/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.erralinfa.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751856/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.esenciacz.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751857/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.eu-r-pg.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751858/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.evolegy.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751859/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.f6el2g.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751860/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.faithbenefit.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751861/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.findsteqboutique.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751862/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.fkbr50.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751863/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.front-ft.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751864/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.712uu.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751810/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.7m20wvee.bond"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751811/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.8ei3mlle.bond"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751812/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.8uh6g.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751813/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.91mh042.vip"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751814/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.9thaqjxs.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751815/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.9x2si9q5.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751816/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.adashucoaching.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751817/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.adgenmedia.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751818/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.agno.sk"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751819/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.airobotcatering.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751820/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ajq979-q4mjso.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751821/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.akabetvip.email"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751822/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.akademia-lik.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751823/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.akxugw.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751824/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.amazondale.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751825/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ango.works"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751826/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.antest-iroepke-251105-2.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751827/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ar3ebj.bond"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751828/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.argachali.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751829/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.arysportswear.us"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751830/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.awardevolution.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751831/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.berwiannicoslife7.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751832/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bigfootwoodcare.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751833/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bobewigi.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751834/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.boostupbloggings.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751835/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.botan-essentials.store"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751836/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.brixaloneth.world"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751837/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.013832.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751797/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.030054405.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751798/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.08227903.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751799/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.0fb7fwr0.bond"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751800/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.130102y.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751801/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.170064a.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751802/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.2tenmarketingok.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751803/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.3fusyu.bond"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751804/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.44352896.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751805/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.4889763.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751806/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.5736x.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751807/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.6n4pcj.cyou"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751808/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.6supv0.vip"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751809/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.wzsw5.shop"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751790/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.xeoc.shop"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751791/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.xfqjrms.bond"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751792/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.xn--essncesensorial-tnb.com.br"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751793/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.xtmmm.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751794/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.yakutianguide.ru"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751795/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.yinmen-luxeron.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751796/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.ucuuj829346.luxe"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751778/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.uexgdf.vip"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751779/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.uspcs.click"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751780/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.valencia-motogp.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751781/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.vaxfreemilk.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751782/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.ved-my-semya-smotret.online"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751783/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.w7z81v.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751784/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.wacareerplus.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751785/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.watakyu-kaimin.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751786/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.wguwbnq792.vip"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751787/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.winhubwin.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751788/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.wwwph143ph.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751789/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.t7qt8rj9xg.cc"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751766/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.taier-rooftile.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751767/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.teatiger.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751768/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.techihub.store"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751769/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.thebinpvd.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751770/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.thkifry.bond"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751771/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.thx15213w3.cc"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751772/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.tk7.store"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751773/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.tnlfy5.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751774/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.triplehunter.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751775/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.tripscan21.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751776/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.ts6g19v.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751777/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.sakuramassages.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751755/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.serviceplus.pro"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751756/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.shadowluck.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751757/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.shop808culture.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751758/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.shopzone.life"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751759/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.southstconstruction.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751760/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.spjpantp.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751761/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.stidq2kmxg.cc"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751762/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.studyvibez.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751763/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.superspectiva.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751764/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.sushiswap-app.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751765/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.piaohua2.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751742/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.pin-up8k5.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751743/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.pinup-casino-zerkalo.buzz"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751744/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.pixelkonnstructor.store"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751745/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.qzsy74.sbs"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751746/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.racekapital.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751747/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.ratamento.gripe"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751748/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.remi62.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751749/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.revistadomomento.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751750/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.rfrcjpn.bond"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751751/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.rntpr8460f.cfd"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751752/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.rostabilon.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751753/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.rwd.exchange"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751754/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.ombhhy5.sbs"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751730/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.omprimmoonremetboo.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751731/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.opnhqw.sbs"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751732/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.or6l8v1wb.pro"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751733/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.orakuxafolidv.info"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751734/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.outletbelle.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751735/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.oxelys-solution.fr"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751736/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.pabitechnology.us"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751737/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.paciscion.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751738/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.parcitogolf.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751739/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.pc-china-mile.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751740/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.pealenik.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751741/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.muokamasyfose.ru"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751718/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.myoakviewbenefits.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751719/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.n1ph1s.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751720/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.natravamed.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751721/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.newiberiacarwrecklawyer.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751722/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.nihao626260.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751723/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.nobunosuke.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751724/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.nolachronicle.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751725/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.notguilty.sk"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751726/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.ntbeinhd16.cfd"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751727/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.o4ev6y.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751728/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.oinsjet.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751729/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.limitlesssupplements.shop"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751705/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.lunrycas.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751706/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.lxwph.cfd"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751707/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.m-nabu.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751708/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.m0496kf.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751709/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.macrovectoralliance.sbs"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751710/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.mafiyacoffee.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751711/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.maka69.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751712/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.manilaplayplay.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751713/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.marylandguild.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751714/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.mehmetarhan.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751715/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.miacheap.flights"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751716/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.molivarnet.asia"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751717/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.info-premierballers.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751692/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.isnevrc.bond"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751693/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.iwfp9o.vip"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751694/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.jennyfercoox.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751695/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.jess-sol.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751696/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.jexedyu7.pro"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751697/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.jnanadeepaexpert.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751698/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.jordnmusic.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751699/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.kevinolinger.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751700/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.kisahkasihsatwa.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751701/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.kodagen.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751702/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.krczibo.bond"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751703/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.learingcenter.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751704/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.h0j6lbe.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751680/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.hardfeelingsblog.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751681/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.health-prader-willi-nyz6s7.live"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751682/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.heetmehtaofficial.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751683/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.help.ventures"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751684/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.hsck.pub"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751685/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.hubsmartproperties.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751686/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.hxcwyj.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751687/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.hyeokus.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751688/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.ierrepironet.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751689/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.igjewelry.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751690/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.impulsvendrell.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751691/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.faithbenefit.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751668/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.findsteqboutique.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751669/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.fkbr50.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751670/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.front-ft.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751671/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.furrybeehive.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751672/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.garrisonfxc.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751673/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.gensetresmi.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751674/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.giftprints.cl"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751675/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.glamourexpert.live"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751676/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.goatover.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751677/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.guttercleaningburlingtonma.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751678/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.gvewm.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751679/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.decisintrepid.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751656/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.demingworld.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751657/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.dldaljq.bond"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751658/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.drwn.ch"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751659/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.dxmestudioacademia.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751660/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.ecovitalformulasbf.info"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751661/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.elytraonline.store"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751662/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.erralinfa.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751663/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.esenciacz.info"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751664/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.eu-r-pg.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751665/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.evolegy.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751666/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.f6el2g.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751667/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.bvcki.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751644/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.c800ah.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751645/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.centerwellstateave1.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751646/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.charmpulse.biz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751647/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.chxmpion.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751648/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.clavebathhouse.info"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751649/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.clearflowlearing.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751650/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.conterahip.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751651/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.curation.today"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751652/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.d0re26amc.info"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751653/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.darkxpixel.store"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751654/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.dayaneejoaquim.com.br"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751655/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.ango.works"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751632/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.antest-iroepke-251105-2.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751633/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.ar3ebj.bond"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751634/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.argachali.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751635/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.arysportswear.us"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751636/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.awardevolution.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751637/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.berwiannicoslife7.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751638/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.bigfootwoodcare.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751639/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.bobewigi.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751640/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.boostupbloggings.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751641/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.botan-essentials.store"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751642/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.brixaloneth.world"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751643/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.91mh042.vip"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751620/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.9thaqjxs.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751621/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.9x2si9q5.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751622/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.adashucoaching.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751623/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.adgenmedia.info"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751624/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.agno.sk"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751625/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.airobotcatering.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751626/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.ajq979-q4mjso.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751627/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.akabetvip.email"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751628/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.akademia-lik.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751629/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.akxugw.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751630/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.amazondale.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751631/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.170064a.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751608/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.2tenmarketingok.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751609/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.3fusyu.bond"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751610/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.44352896.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751611/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.4889763.cc"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751612/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns05/"; depth:6; nocase; http.host; content:"www.5736x.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751613/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.6n4pcj.cyou"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751614/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.6supv0.vip"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751615/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.712uu.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751616/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.7m20wvee.bond"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751617/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.8ei3mlle.bond"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751618/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.8uh6g.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751619/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.013832.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751603/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.030054405.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751604/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tu90/"; depth:6; nocase; http.host; content:"www.08227903.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751605/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.0fb7fwr0.bond"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751606/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fz49/"; depth:6; nocase; http.host; content:"www.130102y.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751607/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lightforge.mildtech.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751602/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"betsan01.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751599/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"devtu35.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751600/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"morfec03.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751601/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"devtu35.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751597/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"morfec03.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751598/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download.php"; depth:13; nocase; http.host; content:"betsan01.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751596/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"alwinshop.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751595/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hb9ivshs02/index.php"; depth:21; nocase; http.host; content:"89.23.103.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751594/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8c91e91fdd93452c.php"; depth:21; nocase; http.host; content:"193.38.248.139"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751593/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/920475a59bac849d.php"; depth:21; nocase; http.host; content:"85.28.47.30"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751592/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"softengine.mildtech.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751590/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sternpapa.resentingdad.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751588/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"grimparent.resentingdad.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751587/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"banktools.in.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751585/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"facades.br.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751583/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xn--20t33u11srlm.jp.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751584/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bitterfather.resentingdad.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751582/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"thresumebuilder.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751579/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"resumebuilders.us"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751580/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"newresumebuilders.us"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751581/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"raytherrien.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751576/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"malext.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751577/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"mac-os-helper.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751578/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751578; rev:1;) alert tcp $HOME_NET any -> [144.31.62.176] 9443 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751575/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751575; rev:1;) alert tcp $HOME_NET any -> [3.140.254.73] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751574/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751574; rev:1;) alert tcp $HOME_NET any -> [103.228.38.76] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751573/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751573; rev:1;) alert tcp $HOME_NET any -> [2.58.56.98] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751572/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751572; rev:1;) alert tcp $HOME_NET any -> [167.88.166.204] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751571/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751571; rev:1;) alert tcp $HOME_NET any -> [38.60.220.217] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751570/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751570; rev:1;) alert tcp $HOME_NET any -> [179.61.145.59] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751568/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751568; rev:1;) alert tcp $HOME_NET any -> [151.59.111.103] 8080 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751569/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751569; rev:1;) alert tcp $HOME_NET any -> [151.59.108.209] 8080 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751567/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751567; rev:1;) alert tcp $HOME_NET any -> [137.184.188.89] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751564/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751564; rev:1;) alert tcp $HOME_NET any -> [88.99.99.45] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751565/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751565; rev:1;) alert tcp $HOME_NET any -> [144.172.107.97] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751566/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751566; rev:1;) alert tcp $HOME_NET any -> [217.26.31.86] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751562/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751562; rev:1;) alert tcp $HOME_NET any -> [62.171.138.199] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751563/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"codespring.purecode.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751561/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751561; rev:1;) alert tcp $HOME_NET any -> [98.88.22.166] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751560/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751560; rev:1;) alert tcp $HOME_NET any -> [8.213.43.177] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751555/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751555; rev:1;) alert tcp $HOME_NET any -> [181.174.165.127] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751556/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751556; rev:1;) alert tcp $HOME_NET any -> [20.33.123.34] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751557/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751557; rev:1;) alert tcp $HOME_NET any -> [34.252.160.204] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751558/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751558; rev:1;) alert tcp $HOME_NET any -> [20.22.106.192] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751553/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751553; rev:1;) alert tcp $HOME_NET any -> [137.184.122.10] 5006 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751554/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751554; rev:1;) alert tcp $HOME_NET any -> [42.228.216.78] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751552/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751552; rev:1;) alert tcp $HOME_NET any -> [34.253.217.85] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751550/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751550; rev:1;) alert tcp $HOME_NET any -> [70.169.51.111] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751551/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751551; rev:1;) alert tcp $HOME_NET any -> [63.34.201.208] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751549/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751549; rev:1;) alert tcp $HOME_NET any -> [172.86.121.104] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751548/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751548; rev:1;) alert tcp $HOME_NET any -> [176.99.14.145] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751547/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_21; classtype:trojan-activity; sid:91751547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"logicform.purecode.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751545/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"143.92.60.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751505/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751505; rev:1;) alert tcp $HOME_NET any -> [143.92.60.24] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751506/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mao_http.sh"; depth:12; nocase; http.host; content:"45.95.146.23"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751507/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_21; classtype:trojan-activity; sid:91751507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"datapulse.fluxnode.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751520/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"youngsparrow.childbird.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751521/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kidwing.childbird.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751524/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nestlingflight.childbird.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751533/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"calmstack.zenbyte.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751534/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bytepeace.zenbyte.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751535/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"silentlogic.zenbyte.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751536/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"denseplume.condenfeather.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751537/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"firmquill.condenfeather.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751539/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1m82015w.embercore.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751526/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6dj7e6w9.embercore.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751525/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751525; rev:1;) alert tcp $HOME_NET any -> [118.107.16.253] 7004 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751523/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_21; classtype:trojan-activity; sid:91751523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"26s1p5ue.frostholm.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751519/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fk4x7a44.frostholm.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751518/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751518; rev:1;) alert tcp $HOME_NET any -> [195.16.44.75] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751515/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751515; rev:1;) alert tcp $HOME_NET any -> [31.25.135.74] 446 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751514/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751514; rev:1;) alert tcp $HOME_NET any -> [193.181.213.253] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751512/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751512; rev:1;) alert tcp $HOME_NET any -> [56.155.101.105] 28080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751513/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751513; rev:1;) alert tcp $HOME_NET any -> [128.199.110.246] 8088 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751510/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751510; rev:1;) alert tcp $HOME_NET any -> [15.160.149.198] 50001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751511/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751511; rev:1;) alert tcp $HOME_NET any -> [143.92.60.26] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751509/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751509; rev:1;) alert tcp $HOME_NET any -> [193.187.91.221] 54073 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751508/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yzac4fqt.duskvale.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751498/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e0iohoi5.duskvale.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751497/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751497; rev:1;) alert tcp $HOME_NET any -> [64.225.39.118] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751495/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_21; classtype:trojan-activity; sid:91751495; rev:1;) alert tcp $HOME_NET any -> [14.102.238.72] 8443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751494/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_21; classtype:trojan-activity; sid:91751494; rev:1;) alert tcp $HOME_NET any -> [45.8.93.27] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751488/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751488; rev:1;) alert tcp $HOME_NET any -> [45.8.93.27] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751489/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751489; rev:1;) alert tcp $HOME_NET any -> [196.75.37.117] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751486/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751486; rev:1;) alert tcp $HOME_NET any -> [103.177.46.3] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751487/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751487; rev:1;) alert tcp $HOME_NET any -> [93.198.187.22] 81 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751484/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751484; rev:1;) alert tcp $HOME_NET any -> [45.116.104.104] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751483/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751483; rev:1;) alert tcp $HOME_NET any -> [34.153.28.2] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751482/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751482; rev:1;) alert tcp $HOME_NET any -> [109.199.121.1] 1962 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751481/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751481; rev:1;) alert tcp $HOME_NET any -> [87.120.219.218] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751480/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stqol819.thornwick.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751479/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0jubd61o.thornwick.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751478/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751478; rev:1;) alert tcp $HOME_NET any -> [115.231.171.21] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751477/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751477; rev:1;) alert tcp $HOME_NET any -> [185.157.46.212] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751476/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tapnetic.pro"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751131/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shorepoint.lakeford.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751327/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751327; rev:1;) alert tcp $HOME_NET any -> [180.93.52.81] 60195 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751355/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"deepref.silverbay.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751356/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751356; rev:1;) alert tcp $HOME_NET any -> [159.65.99.110] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751360/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751360; rev:1;) alert tcp $HOME_NET any -> [68.183.40.248] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751361/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mythic.dad"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751374/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"goarnsds.shop"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751432/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_21; classtype:trojan-activity; sid:91751432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pulse-briefs-mounting-manufactured.trycloudflare.com"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751474/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"built.it.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751473/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klb.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751472/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vlxx88.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751471/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"porfs.servehalflife.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751470/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751470; rev:1;) alert tcp $HOME_NET any -> [13.211.133.200] 20256 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751466/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751466; rev:1;) alert tcp $HOME_NET any -> [18.185.16.158] 40786 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751467/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751467; rev:1;) alert tcp $HOME_NET any -> [108.131.26.94] 2522 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751464/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751464; rev:1;) alert tcp $HOME_NET any -> [13.158.141.68] 9755 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751465/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751465; rev:1;) alert tcp $HOME_NET any -> [52.195.227.118] 2083 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751462/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751462; rev:1;) alert tcp $HOME_NET any -> [16.26.43.159] 38259 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751463/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751463; rev:1;) alert tcp $HOME_NET any -> [177.161.176.25] 3000 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751461/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751461; rev:1;) alert tcp $HOME_NET any -> [204.12.205.233] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751460/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fahadx700-53150.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751459/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jcy98d7wk.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751458/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bkns-connecs.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751457/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bkns-partns.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751456/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751456; rev:1;) alert tcp $HOME_NET any -> [64.227.8.59] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751455/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751455; rev:1;) alert tcp $HOME_NET any -> [64.225.39.118] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751454/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_21; classtype:trojan-activity; sid:91751454; rev:1;) alert tcp $HOME_NET any -> [47.104.159.246] 18443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751453/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751453; rev:1;) alert tcp $HOME_NET any -> [65.2.132.141] 8080 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751443/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751443; rev:1;) alert tcp $HOME_NET any -> [43.210.37.47] 2095 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751442/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751442; rev:1;) alert tcp $HOME_NET any -> [3.29.67.62] 53282 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751441/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751441; rev:1;) alert tcp $HOME_NET any -> [3.29.67.62] 37782 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751440/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751440; rev:1;) alert tcp $HOME_NET any -> [165.245.186.179] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751439/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751439; rev:1;) alert tcp $HOME_NET any -> [102.98.90.86] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751438/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751438; rev:1;) alert tcp $HOME_NET any -> [194.135.20.24] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751437/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751437; rev:1;) alert tcp $HOME_NET any -> [192.109.139.158] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751436/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_21; classtype:trojan-activity; sid:91751436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0l833z7h.ironbark.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751434/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mi8r8dc4.ironbark.digital"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751433/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8i5lypxm6.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751428/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bkns-extrans.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751427/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751427; rev:1;) alert tcp $HOME_NET any -> [165.232.45.1] 5600 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751426/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751426; rev:1;) alert tcp $HOME_NET any -> [64.111.93.170] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751424/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_20; classtype:trojan-activity; sid:91751424; rev:1;) alert tcp $HOME_NET any -> [185.141.216.76] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751425/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_20; classtype:trojan-activity; sid:91751425; rev:1;) alert tcp $HOME_NET any -> [170.187.144.43] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751423/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_20; classtype:trojan-activity; sid:91751423; rev:1;) alert tcp $HOME_NET any -> [46.225.168.157] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751422/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_20; classtype:trojan-activity; sid:91751422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enviodefebre8095.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751421/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751421; rev:1;) alert tcp $HOME_NET any -> [185.243.214.51] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751399/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751399; rev:1;) alert tcp $HOME_NET any -> [13.49.226.59] 1099 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751398/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751398; rev:1;) alert tcp $HOME_NET any -> [16.51.153.193] 54717 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751397/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751397; rev:1;) alert tcp $HOME_NET any -> [18.118.24.86] 18080 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751396/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751396; rev:1;) alert tcp $HOME_NET any -> [115.190.53.184] 666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751395/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"darkpath.grayford.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751385/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jainnamkeen.in.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751381/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ezonemart.in.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751380/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cloudford.grayford.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751379/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751379; rev:1;) alert tcp $HOME_NET any -> [9.223.178.81] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751377/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751377; rev:1;) alert tcp $HOME_NET any -> [3.87.159.213] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751376/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751376; rev:1;) alert tcp $HOME_NET any -> [117.157.22.184] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751375/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stonebridge.grayford.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751373/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"northpeak.coldpine.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751372/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wintersync.coldpine.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751371/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updater"; depth:8; nocase; http.host; content:"waterpressureelement.cc"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751370/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"frostneedle.coldpine.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751369/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"icepine.coldpine.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751368/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751368; rev:1;) alert tcp $HOME_NET any -> [104.233.184.215] 1235 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751367/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751367; rev:1;) alert tcp $HOME_NET any -> [104.233.184.215] 1233 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751366/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hardmoss.mossrock.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751365/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oldlayer.mossrock.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751364/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stonepatch.mossrock.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751363/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zekjryh8.misthollow.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751362/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a0mvufym.misthollow.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751359/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"greenmoss.mossrock.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751358/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coolcoast.silverbay.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751354/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"silvertide.silverbay.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751352/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oceanview.silverbay.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751350/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"silentroot.darkpine.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751349/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"darkforest.darkpine.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751348/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751348; rev:1;) alert tcp $HOME_NET any -> [202.191.67.71] 4446 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751347/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751347; rev:1;) alert tcp $HOME_NET any -> [185.241.211.57] 5000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751346/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nightneedle.darkpine.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751345/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shadowpine.darkpine.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751344/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"highflow.windford.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751343/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fastbreeze.windford.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751342/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stormtrace.windford.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751341/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nano.viewdns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751340/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"grayroad.grayford.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751339/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stronggale.windford.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751338/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1t7qbrm9t.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751337/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751337; rev:1;) alert tcp $HOME_NET any -> [194.116.236.112] 7232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751336/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"depthnode.lakeford.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751335/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"goarnsds.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751334/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751334; rev:1;) alert tcp $HOME_NET any -> [60.28.219.78] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751333/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751333; rev:1;) alert tcp $HOME_NET any -> [60.28.219.78] 38423 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751332/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751332; rev:1;) alert tcp $HOME_NET any -> [91.247.235.216] 9042 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751331/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751331; rev:1;) alert tcp $HOME_NET any -> [181.162.164.151] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751330/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751330; rev:1;) alert tcp $HOME_NET any -> [213.55.242.27] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751328/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751328; rev:1;) alert tcp $HOME_NET any -> [213.55.242.27] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751329/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coldstream.lakeford.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751326/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"waterpath.lakeford.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751324/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mountpeak.rockpine.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751323/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"v2.petrnesterov.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751305/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xpekt.aurovine.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751306/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"relativeplanning.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751307/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lingering-verify-cloud.pages.dev"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751308/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"btexee3dc53f6dc453f6a9f461a5hfamd.pages.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751309/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vair.xcreative.cz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751310/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"renovation-create.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751311/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"createsouken.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751312/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"panoramarevue.sitecreation.ma"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751313/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"create-seibu.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751314/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"farrcreative.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751315/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"supportcreation.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751316/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"creatnova.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751317/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"verify-captcha-service-google.pages.dev"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751318/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"verifycaptchaservice-a09ee3dc53f6a9f461a45.pages.dev"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751319/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"a09ee3dc53f6a9f461a45bac946c5a09ee3dca09ee3dc53f6a9.pages.dev"; depth:61; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751320/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"a09ee3dc53f6a9f461a45bac946c5a09ee3dc453f6a9f461a5.pages.dev"; depth:60; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751321/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webmail.lifeandhope.ec"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751284/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"high888.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751285/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"d-ac.jp"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751286/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alphamservice.be"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751287/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"3squaredapps.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751288/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yeezyboostsalesos.us"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751289/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dolphin.edu.np"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751290/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.vanguartagency.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751291/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vpnathan-partners.com.my"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751292/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tenjin-central.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751293/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"airtrafficsolutions.com.au"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751294/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"npaym.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751295/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"knowledgemomentum-net.moneymaking-opportunities.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751296/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"annietello.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751297/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"simaalborg.dk"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751298/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lingering-my-verify-clouds-1.pages.dev"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751299/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lingering-my-verify-clouds-0.pages.dev"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751300/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yozami.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751301/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"capindustrial.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751302/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"daveshobbymarket.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751303/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xquizit.aurovine.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751304/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"planocreativo.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751264/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zabaikalsk.logomebel.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751265/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"volarfab.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751266/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"website-cb9a3496.strategy.vision"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751267/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vyborg.logomebel.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751268/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"taro.xagrosa.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751269/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thiruvallur.in"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751270/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ukrhelp.sam-sebe-columb.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751271/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tinidevs.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751272/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sprueche-wuensche-gruesse.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751273/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.kryla.land"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751274/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zvezda-44.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751275/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zarkasyi-golkar12.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751276/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yoshikou-reunion.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751277/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yoshkarola.logomebel.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751278/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xaydungmaison.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751279/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yufit.biz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751280/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wptraining.cloudware.ng"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751281/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wpt-8gek.162-215-130-152.cpanel.site.oligoflora.com.br"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751282/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"website-1a9d6001.arminpardo.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751283/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"krasnoyarsk.logomebel.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751244/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kurgan.logomebel.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751245/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"antoineruiz.it"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751246/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cashazing.dev.prodevr.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751247/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bwpeople-hr40under40-talentworld.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751248/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"calmost-hair.main.jp"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751249/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cms.iqwing.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751250/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dveryuga.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751251/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"emba.nu.edu.eg"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751252/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"footballpicksandpredictions.moneymaking-opportunities.com"; depth:57; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751253/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kastechnologies.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751254/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.lacasadeltexu.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751255/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zelenograd.logomebel.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751256/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"petrozavodsk.logomebel.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751257/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zoloh.starlandhotel.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751258/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tottenhamtraders.co.uk"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751259/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tinklapiuprieziura.lt"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751260/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sushilanepal.com.np.nepalpaymentshub.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751261/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"residencialgolapa.com.br"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751262/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ownvitality.xsrv.jp"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751263/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vsure.trumpcode.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751226/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thietbilanh.cokhiviendong.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751227/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"techtotalix.com.topmostfreight.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751228/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sultanshopee.ninetysix.in"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751229/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pgadmin.ddsis.com.mx"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751230/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nhahang3.umemarketingagency.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751231/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.bennnene.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751232/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"velikieluki.logomebel.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751233/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"seminariodiocesedejanauba.com.br.agenciadelivearte.com.br"; depth:57; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751234/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yalta.logomebel.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751235/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vellenso.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751236/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"visuapex.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751237/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"treat.kusherp.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751238/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"v1.estismail.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751239/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"uggtrade.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751240/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pulsebeatrecords.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751241/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"meimeilab.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751242/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.mo-ag.co.uk"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751243/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"berna-und-max.lenz-berauscht.de"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751216/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bh3.umemarketingagency.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751217/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bxsandbox2.pragma.by"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751218/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hablaportafolio.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751219/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lns.owl.temporary.site"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751220/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"konferenceappka.bartvisions.cz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751221/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.binbinartgallery.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751222/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.createubebeni.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751223/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.kvmjcleaning.ca"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751224/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wowlabzstaging.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751225/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ironpine.rockpine.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751215/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updater"; depth:8; nocase; http.host; content:"bobrecurwarmumsworms.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751214/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"venver.com.ar"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751194/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fukuoka-saiyou.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751195/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"krsseguros.com.br"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751196/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"laundryball.com.au"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751197/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vibortherm.hu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751198/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"imaziner.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751199/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"inlaser.pro"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751200/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bfacollege.co.in"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751201/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wisdomfromthedojo.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751202/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"efcst.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751203/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thevertexcapital.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751204/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"conqueringtheland.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751205/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.thetavernonfourth.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751206/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"urs.org.vn"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751207/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"knacho.sk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751208/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"themillennialdiyer.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751209/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"analyticscampus.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751210/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"k9toothsolutions.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751211/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"themislegal.com.au"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751212/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"southernsolarcell.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751213/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"buckmanmetal.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751175/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"athleticx.be"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751176/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"forum.net-gazet.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751177/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"negociomejor.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751178/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.websinvention.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751179/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hermancedesign.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751180/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pakistanvisa.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751181/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"theluxespa.co.zw"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751182/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thegreendispensarymenu.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751183/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"apotheken-setzen-zeichen.de"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751184/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"new.in-cut.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751185/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hotel-goger-augsfeld.de"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751186/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blackoxcreatives.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751187/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"allen-me.solutions"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751188/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"talklifemedia.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751189/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"iraqpools.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751190/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thejusticecollege.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751191/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"themovement.fit"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751192/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"insidethecrown.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751193/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hillpaduampm.com.au"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751157/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"brownmountainangus.com.au"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751158/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.heartofthepiedmont.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751159/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"palmettoseasalttherapy.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751160/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vibranthealthventure.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751161/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ridethecape.co.za"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751162/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.perthspeechpathology.com.au"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751163/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"adtrucking.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751164/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"celebrityinfograph.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751165/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bx.digitech.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751166/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"perspectives-book.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751167/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cashforclutter.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751168/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nardoweb.it"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751169/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wordpress-theme-collection.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751170/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bbc-themes.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751171/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kawasaki-car.work"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751172/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wigwhowigme.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751173/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"htkwood.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751174/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"theoldschool.sc"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751149/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thetavernonfourth-com.bubars.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751150/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.wetooktheplunge.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751151/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"theapptrix.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751152/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thenewestthing.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751153/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"theinvestworthy.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751154/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shop.net-gazet.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751155/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nothingscares.me"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751156/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hardneedle.rockpine.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751148/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"highstone.rockpine.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751147/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"riverroot.bluefern.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751146/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shadowfern.bluefern.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751143/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"deepgreen.bluefern.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751142/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"forestleaf.bluefern.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751141/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sunhunter.lionsand.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751140/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sandpulse.lionsand.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751139/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wildlion.lionsand.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751138/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"goldensand.lionsand.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751137/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751137; rev:1;) alert tcp $HOME_NET any -> [217.60.1.121] 8443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751136/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"roughstrike.crotchfuete.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751135/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hardpunch.crotchfuete.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751134/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"steelgrip.crotchfuete.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751133/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nightedict.forbidthen.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751132/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u281os5q.wintermere.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751128/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"grimorder.forbidthen.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751127/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uo6ie1ro.wintermere.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751126/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751126; rev:1;) alert tcp $HOME_NET any -> [3.10.143.189] 12600 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751125/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751125; rev:1;) alert tcp $HOME_NET any -> [3.10.143.189] 1200 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751122/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751122; rev:1;) alert tcp $HOME_NET any -> [3.10.143.189] 3500 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751123/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751123; rev:1;) alert tcp $HOME_NET any -> [3.10.143.189] 10050 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751124/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751124; rev:1;) alert tcp $HOME_NET any -> [196.75.213.61] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751120/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751120; rev:1;) alert tcp $HOME_NET any -> [3.10.143.189] 1000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751121/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751121; rev:1;) alert tcp $HOME_NET any -> [3.38.102.73] 35296 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751118/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751118; rev:1;) alert tcp $HOME_NET any -> [13.214.210.23] 7073 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751119/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751119; rev:1;) alert tcp $HOME_NET any -> [199.101.111.28] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751117/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lawkeeper.forbidthen.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751116/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"toneforge.iaphonics.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751115/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"echowave.iaphonics.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751114/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"soundcraft.iaphonics.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751113/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jd4ftwmb.stoneweir.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751112/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"95o8yn83.stoneweir.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751111/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"exfuture.ru.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751109/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"olywsu.sa.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751110/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751110; rev:1;) alert tcp $HOME_NET any -> [52.207.16.109] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751108/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751108; rev:1;) alert tcp $HOME_NET any -> [195.177.94.132] 13443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751107/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751107; rev:1;) alert tcp $HOME_NET any -> [165.232.45.1] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751106/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751106; rev:1;) alert tcp $HOME_NET any -> [165.227.177.122] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751105/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751105; rev:1;) alert tcp $HOME_NET any -> [107.172.217.220] 12096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751104/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"farmer.sa.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751103/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sweetmeadow.mooingtaste.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751102/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"freshudder.mooingtaste.in.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751101/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"creamvalley.mooingtaste.in.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751100/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"deepcoral.oceanprim.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751096/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zetus/five/fre.php"; depth:19; nocase; http.host; content:"abscete.info"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751095/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"saltwave.oceanprim.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751094/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bluecurrent.oceanprim.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751093/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ironclove.bakhkondach.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751091/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blackroot.bakhkondach.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751089/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751089; rev:1;) alert tcp $HOME_NET any -> [47.76.249.152] 447 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751088/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"darkspice.bakhkondach.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751087/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751087; rev:1;) alert tcp $HOME_NET any -> [95.216.212.8] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751086/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xworm2026.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751085/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751085; rev:1;) alert tcp $HOME_NET any -> [185.180.198.3] 2025 (msg:"ThreatFox RansomHub botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751083/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751083; rev:1;) alert tcp $HOME_NET any -> [185.180.198.3] 443 (msg:"ThreatFox RansomHub botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751084/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751084; rev:1;) alert tcp $HOME_NET any -> [167.172.199.123] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751081/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751081; rev:1;) alert tcp $HOME_NET any -> [167.172.199.123] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751082/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751082; rev:1;) alert tcp $HOME_NET any -> [163.181.208.79] 4506 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751080/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751080; rev:1;) alert tcp $HOME_NET any -> [13.248.136.191] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751079/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91751079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"firecharge.highexplos.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751078/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shockflare.highexplos.in.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751077/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blastzone.highexplos.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751076/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rockpanel.flatdon.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751073/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"plainforge.flatdon.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751072/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751072; rev:1;) alert tcp $HOME_NET any -> [168.245.203.186] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751071/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751071; rev:1;) alert tcp $HOME_NET any -> [103.177.47.207] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751070/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751070; rev:1;) alert tcp $HOME_NET any -> [103.177.47.174] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751069/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751069; rev:1;) alert tcp $HOME_NET any -> [3.107.169.157] 2 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751068/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751068; rev:1;) alert tcp $HOME_NET any -> [104.223.84.7] 14646 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751067/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751067; rev:1;) alert tcp $HOME_NET any -> [91.92.41.4] 5555 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751066/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dustcrate.flatdon.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751065/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751065; rev:1;) alert tcp $HOME_NET any -> [38.46.11.202] 1107 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751064/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751064; rev:1;) alert tcp $HOME_NET any -> [192.163.162.194] 447 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751063/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751063; rev:1;) alert tcp $HOME_NET any -> [193.26.115.60] 6000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750818/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750818; rev:1;) alert tcp $HOME_NET any -> [38.49.215.118] 8443 (msg:"ThreatFox PureRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750820/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750820; rev:1;) alert tcp $HOME_NET any -> [23.94.252.101] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750821/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750821; rev:1;) alert tcp $HOME_NET any -> [83.142.209.92] 11200 (msg:"ThreatFox PureRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750852/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6f54.js"; depth:8; nocase; http.host; content:"ainttby.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750864/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ainttby.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750865/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"ainttby.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750866/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; nocase; http.host; content:"212.85.166.12"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750875/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91750875; rev:1;) alert tcp $HOME_NET any -> [203.192.206.72] 1988 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750913/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750913; rev:1;) alert tcp $HOME_NET any -> [193.124.250.110] 8080 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750935/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750935; rev:1;) alert tcp $HOME_NET any -> [172.94.111.65] 8098 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750938/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750938; rev:1;) alert tcp $HOME_NET any -> [5.101.86.26] 49274 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750939/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"excessmon001.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750940/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x1edaroughgan8hajous20.duckdns.org"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750941/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x1edaroughgan8hajous30.duckdns.org"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750943/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x1edaroughgan8hajous40.duckdns.org"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750944/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"89.58.25.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750948/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_20; classtype:trojan-activity; sid:91750948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cygnusn.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750955/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91750955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"khantym.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750956/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91750956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"salivae.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750957/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91750957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"swederq.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750958/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91750958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"transpd.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750959/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91750959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tributj.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750960/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_20; classtype:trojan-activity; sid:91750960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"intranet.milnetstresser.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751009/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751009; rev:1;) alert tcp $HOME_NET any -> [87.121.84.58] 8080 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751012/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751012; rev:1;) alert tcp $HOME_NET any -> [87.121.84.58] 2901 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751016/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_20; classtype:trojan-activity; sid:91751016; rev:1;) alert tcp $HOME_NET any -> [146.70.51.74] 2712 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751022/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751022; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 11637 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751032/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751032; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 64601 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751035/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"198.46.147.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1751054/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"heattrail.agrahurry.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751062/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rushgrain.agrahurry.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751058/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"speedcargo.agrahurry.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751057/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751057; rev:1;) alert tcp $HOME_NET any -> [81.68.89.216] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751056/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751056; rev:1;) alert tcp $HOME_NET any -> [221.229.53.161] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751055/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wildhorn.goatbreed.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751052/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stonegraze.goatbreed.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751050/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"share2e2git.autos"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751049/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stormfield.goatbreed.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751048/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"horsten.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751047/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rocketmoll.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751046/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"argoflyleens.city"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751045/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elfrodbloom.city"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751044/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751044; rev:1;) alert tcp $HOME_NET any -> [159.26.100.159] 59476 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751043/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bluepoint.northlake.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751042/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shroudcloud.ru.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751041/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kishlay.in.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751040/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hpandroid2025.jp.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751039/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"icefront.northlake.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751038/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coldwater.northlake.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751036/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"northshore.northlake.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751034/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751034; rev:1;) alert tcp $HOME_NET any -> [165.227.177.122] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751033/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"westwave.westlake.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751031/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751031; rev:1;) alert tcp $HOME_NET any -> [168.245.203.199] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751029/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751029; rev:1;) alert tcp $HOME_NET any -> [168.245.203.224] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751030/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751030; rev:1;) alert tcp $HOME_NET any -> [168.245.203.51] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751027/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751027; rev:1;) alert tcp $HOME_NET any -> [168.245.203.231] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751028/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751028; rev:1;) alert tcp $HOME_NET any -> [94.242.52.160] 445 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1751026/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coolsurf.westlake.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751021/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"deepblue.westlake.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751020/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"waterfront.westlake.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751019/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"greenpath.deepwood.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751018/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wildleaf.deepwood.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751017/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"darktimber.deepwood.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751015/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"deeproot.deepwood.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751011/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"redcore.redwood.in.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751010/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tallbranch.redwood.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751008/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oldroot.redwood.in.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751007/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"strongleaf.redwood.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751005/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"silentnode.darkmoon.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751004/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hiddenside.darkmoon.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751003/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blackorbit.darkmoon.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751002/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shadowphase.darkmoon.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1751001/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91751001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"goldtrace.goldwind.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750999/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fastglow.goldwind.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750998/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shineflow.goldwind.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750997/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"warmbreeze.goldwind.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750996/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"heavynode.ironwave.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750994/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750994; rev:1;) alert tcp $HOME_NET any -> [138.197.196.147] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750993/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750993; rev:1;) alert tcp $HOME_NET any -> [15.216.95.47] 2701 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750992/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750992; rev:1;) alert tcp $HOME_NET any -> [91.92.243.47] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750991/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bkn-connects.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750990/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750990; rev:1;) alert tcp $HOME_NET any -> [89.40.206.98] 2050 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750989/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_20; classtype:trojan-activity; sid:91750989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"powerlink.ironwave.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750988/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hardflow.ironwave.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750987/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"steelsync.ironwave.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750986/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coldbeam.coolstar.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750985/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750985; rev:1;) alert tcp $HOME_NET any -> [209.74.82.76] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750984/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750984; rev:1;) alert tcp $HOME_NET any -> [3.85.107.177] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750983/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750983; rev:1;) alert tcp $HOME_NET any -> [3.148.25.195] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750981/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750981; rev:1;) alert tcp $HOME_NET any -> [75.119.151.20] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750982/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bkn-partr.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750979/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juandaza2025pu.camdvr.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750980/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750980; rev:1;) alert tcp $HOME_NET any -> [16.58.121.239] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750978/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manager.3utilities.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750977/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750977; rev:1;) alert tcp $HOME_NET any -> [165.232.45.1] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750976/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750976; rev:1;) alert tcp $HOME_NET any -> [155.138.162.127] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750975/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_19; classtype:trojan-activity; sid:91750975; rev:1;) alert tcp $HOME_NET any -> [154.219.97.206] 5758 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750974/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750974; rev:1;) alert tcp $HOME_NET any -> [154.219.97.142] 5758 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750973/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750973; rev:1;) alert tcp $HOME_NET any -> [154.219.97.70] 5758 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750972/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"spaceview.coolstar.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750971/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y5d9oidj.blue128cinder.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750969/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"423vlwlb.blue128cinder.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750968/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brightpoint.coolstar.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750967/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lightcore.coolstar.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750966/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"leadpulse.bluewolf.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750965/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nightrun.bluewolf.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750961/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bluehunt.bluewolf.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750953/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"forestnode.graywolf.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750951/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"greytrack.graywolf.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750950/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wildstep.graywolf.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750949/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"huntpack.graywolf.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750947/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750947; rev:1;) alert tcp $HOME_NET any -> [176.108.250.50] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750946/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_19; classtype:trojan-activity; sid:91750946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"spacecore.brightstar.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750945/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lightbeam.brightstar.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750942/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"northgale.coldwind.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750937/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"snowtrack.coldwind.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750933/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750933; rev:1;) alert tcp $HOME_NET any -> [156.225.19.99] 2324 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750932/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"winterblast.coldwind.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750931/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750931; rev:1;) alert tcp $HOME_NET any -> [89.58.25.125] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750930/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750930; rev:1;) alert tcp $HOME_NET any -> [54.91.209.10] 16930 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750929/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750929; rev:1;) alert tcp $HOME_NET any -> [51.92.40.130] 1234 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750928/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750928; rev:1;) alert tcp $HOME_NET any -> [51.84.9.169] 9999 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750927/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750927; rev:1;) alert tcp $HOME_NET any -> [18.236.192.145] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750926/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750926; rev:1;) alert tcp $HOME_NET any -> [3.140.254.73] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750925/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750925; rev:1;) alert tcp $HOME_NET any -> [178.236.252.109] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750924/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750924; rev:1;) alert tcp $HOME_NET any -> [20.39.130.27] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750923/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750923; rev:1;) alert tcp $HOME_NET any -> [155.117.40.221] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750922/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750922; rev:1;) alert tcp $HOME_NET any -> [3.148.25.195] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750921/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750921; rev:1;) alert tcp $HOME_NET any -> [159.203.79.29] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750920/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750920; rev:1;) alert tcp $HOME_NET any -> [18.221.223.195] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750919/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750919; rev:1;) alert tcp $HOME_NET any -> [87.106.187.97] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750918/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750918; rev:1;) alert tcp $HOME_NET any -> [181.235.2.89] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750917/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750917; rev:1;) alert tcp $HOME_NET any -> [192.227.219.80] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750916/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"freezepoint.coldwind.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750915/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coalbase.firepath.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750914/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glowtrace.firepath.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750911/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750911; rev:1;) alert tcp $HOME_NET any -> [95.85.239.201] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750909/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ashcloud.firepath.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750908/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hotstone.firepath.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750907/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"saltreef.deepwave.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750906/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750906; rev:1;) alert tcp $HOME_NET any -> [107.189.27.83] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750905/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750905; rev:1;) alert tcp $HOME_NET any -> [44.198.60.243] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750904/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750904; rev:1;) alert tcp $HOME_NET any -> [178.236.252.109] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750903/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750903; rev:1;) alert tcp $HOME_NET any -> [149.28.151.106] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750902/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"seacurrent.deepwave.in.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750901/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750901; rev:1;) alert tcp $HOME_NET any -> [117.187.252.19] 10250 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750900/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"darkwater.deepwave.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750898/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750898; rev:1;) alert tcp $HOME_NET any -> [95.156.205.13] 55575 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750897/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750897; rev:1;) alert tcp $HOME_NET any -> [178.116.38.74] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750896/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"92lottery.coach"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750895/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750895; rev:1;) alert tcp $HOME_NET any -> [172.86.68.38] 28886 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750894/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blueocean.deepwave.in.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750893/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750893; rev:1;) alert tcp $HOME_NET any -> [103.83.86.162] 1985 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750892/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750892; rev:1;) alert tcp $HOME_NET any -> [119.45.214.169] 8443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750891/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750891; rev:1;) alert tcp $HOME_NET any -> [39.101.174.60] 8084 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750890/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"softmist.skyrain.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750889/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"clearair.skyrain.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750888/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"highwind.skyrain.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750887/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bluecloud.skyrain.in.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750886/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750886; rev:1;) alert tcp $HOME_NET any -> [195.177.94.71] 4000 (msg:"ThreatFox Loda botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750884/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750884; rev:1;) alert tcp $HOME_NET any -> [136.0.157.17] 9304 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750883/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"globalfruit.kiwi9ship3.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750882/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"portside.kiwi9ship3.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750881/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oceanbird.kiwi9ship3.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750880/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kiwitransit.kiwi9ship3.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750879/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stockhub.box671plum.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750878/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750878; rev:1;) alert tcp $HOME_NET any -> [15.229.32.243] 1234 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750877/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750877; rev:1;) alert tcp $HOME_NET any -> [69.5.189.249] 7701 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750876/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blueplum.box671plum.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750872/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"heavybox.box671plum.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750870/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750870; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 63603 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750861/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750861; rev:1;) alert tcp $HOME_NET any -> [37.4.250.173] 63603 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750862/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"plumfield.box671plum.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750860/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750860; rev:1;) alert tcp $HOME_NET any -> [103.109.234.117] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750859/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vnwns-188-163-102-33.a.free.pinggy.link"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750858/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.lighter500.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750857/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750857; rev:1;) alert tcp $HOME_NET any -> [89.125.50.65] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750856/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750856; rev:1;) alert tcp $HOME_NET any -> [149.28.151.106] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750855/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_19; classtype:trojan-activity; sid:91750855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abnewszamanpaper72.sa.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750853/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p-93kketo.ru.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750854/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"boxflow.fig08box.coupons"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750851/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"megafilehub2.baby"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750845/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"megafilehub3.baby"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750846/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"megafilehub4.baby"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750847/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"freshfig.fig08box.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750844/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750844; rev:1;) alert tcp $HOME_NET any -> [5.230.159.62] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750837/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750837; rev:1;) alert tcp $HOME_NET any -> [20.234.151.26] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750838/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750838; rev:1;) alert tcp $HOME_NET any -> [45.61.149.192] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750839/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750839; rev:1;) alert tcp $HOME_NET any -> [45.137.98.189] 6666 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750840/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750840; rev:1;) alert tcp $HOME_NET any -> [45.141.26.201] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750841/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750841; rev:1;) alert tcp $HOME_NET any -> [82.26.104.128] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750842/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750842; rev:1;) alert tcp $HOME_NET any -> [91.208.197.30] 1605 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750843/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kys.li"; depth:6; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750836/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"virtualspeechtherapists.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750834/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"megafilehub1.baby"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750835/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750835; rev:1;) alert tcp $HOME_NET any -> [103.163.219.252] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750830/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750830; rev:1;) alert tcp $HOME_NET any -> [141.11.213.91] 8282 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750831/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750831; rev:1;) alert tcp $HOME_NET any -> [147.45.45.110] 7777 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750832/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750832; rev:1;) alert tcp $HOME_NET any -> [193.233.113.137] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750833/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750833; rev:1;) alert tcp $HOME_NET any -> [134.122.152.135] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750826/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750826; rev:1;) alert tcp $HOME_NET any -> [134.122.154.171] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750827/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750827; rev:1;) alert tcp $HOME_NET any -> [202.95.17.184] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750828/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750828; rev:1;) alert tcp $HOME_NET any -> [202.95.18.16] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750829/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750829; rev:1;) alert tcp $HOME_NET any -> [134.122.140.89] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750825/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smallbox.fig08box.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750824/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"figbranch.fig08box.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750822/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coalpoint.darkfire.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750819/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smoketrace.darkfire.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750816/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hotelement.darkfire.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750815/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sys-kernel-update.to"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750812/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"telemetry-pipe.sh"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750813/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blackfire.darkfire.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750811/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"velvet-parrot.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750783/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api-metadata-v6.is"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750790/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750790; rev:1;) alert tcp $HOME_NET any -> [213.152.161.162] 5103 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750793/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/middleware-json.php"; depth:26; nocase; http.host; content:"trofeyincs.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750804/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"trofeyincs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750805/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/auth-response.js"; depth:23; nocase; http.host; content:"trofeyincs.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750806/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/111-file-r"; depth:11; nocase; http.host; content:"trombolistic.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750807/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/320-zip"; depth:8; nocase; http.host; content:"79.141.163.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750808/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"farmfresh.pear7pack.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750810/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"goldpack.pear7pack.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750802/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pizzashop.kozow.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750796/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"brotherspizza.kozow.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750795/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sweetfruit.pear7pack.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750794/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pearline.pear7pack.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750792/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stormtrack.westwind.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750791/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750791; rev:1;) alert tcp $HOME_NET any -> [168.245.203.52] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750788/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750788; rev:1;) alert tcp $HOME_NET any -> [168.245.203.54] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750789/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750789; rev:1;) alert tcp $HOME_NET any -> [65.87.7.237] 8888 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750786/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750786; rev:1;) alert tcp $HOME_NET any -> [80.71.235.24] 8888 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750787/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750787; rev:1;) alert tcp $HOME_NET any -> [94.237.58.158] 8000 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750785/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750785; rev:1;) alert tcp $HOME_NET any -> [178.16.53.96] 888 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750784/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750784; rev:1;) alert tcp $HOME_NET any -> [172.94.100.227] 29811 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750751/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apiv4.frostapi.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750782/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"openfield.westwind.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750781/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"strongblow.westwind.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750779/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"westcoast.westwind.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750777/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bra.gadgetwalabd.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750775/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bra.alpinematters.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750776/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bra.alpinematters.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750774/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bra.gadgetwalabd.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750773/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dawdawf-45472.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750772/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750772; rev:1;) alert tcp $HOME_NET any -> [223.109.90.98] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750771/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750771; rev:1;) alert tcp $HOME_NET any -> [183.2.143.61] 43350 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750770/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750770; rev:1;) alert tcp $HOME_NET any -> [183.2.143.61] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750769/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750769; rev:1;) alert tcp $HOME_NET any -> [62.102.148.154] 3066 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750768/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daroughgan1.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750764/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daroughgan8hajous30.duckdns.org"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750765/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daroughgan8hajous40.duckdns.org"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750766/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daroughgan8hajous50.duckdns.org"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750767/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750767; rev:1;) alert tcp $HOME_NET any -> [83.228.224.244] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750763/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750763; rev:1;) alert tcp $HOME_NET any -> [158.94.210.95] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750762/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"789f.br.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750757/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bertran.ru.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750758/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frunglewump.gb.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750759/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hcolaba.ru.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750760/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wwn.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750761/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hg0088.co.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750756/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsc.in.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750755/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"colaba.ru.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750754/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"skyline.ship46kiwi.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750753/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fastkiwi.ship46kiwi.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750750/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"greenbird.ship46kiwi.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750749/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kiwitalk.ship46kiwi.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750746/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750746; rev:1;) alert tcp $HOME_NET any -> [138.199.59.6] 60736 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750730/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fastpack.ship48mint.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750742/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750742; rev:1;) alert tcp $HOME_NET any -> [158.94.211.76] 3232 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750739/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_19; classtype:trojan-activity; sid:91750739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ceoznp"; depth:7; nocase; http.host; content:"158.94.211.76"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750738/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"freshroute.ship48mint.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750735/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yupangco.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750729/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750729; rev:1;) alert tcp $HOME_NET any -> [209.54.103.184] 1909 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750728/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xxblessingswealths.duckdns.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750727/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coldship.ship48mint.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750725/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mintbase.ship48mint.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750724/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750724; rev:1;) alert tcp $HOME_NET any -> [172.233.46.113] 6667 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750723/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsm.ftp.sh"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750721/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plm.ftp.sh"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750722/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glowpoint.eastmoon.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750720/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eastorbit.eastmoon.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750718/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"darksky.eastmoon.coupons"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750717/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moonlight.eastmoon.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750716/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hardlink.ironstar.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750715/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750715; rev:1;) alert tcp $HOME_NET any -> [52.146.70.84] 8013 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750714/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750714; rev:1;) alert tcp $HOME_NET any -> [24.20.225.162] 8080 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750713/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750713; rev:1;) alert tcp $HOME_NET any -> [185.179.189.122] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750711/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750711; rev:1;) alert tcp $HOME_NET any -> [172.86.91.226] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750710/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750710; rev:1;) alert tcp $HOME_NET any -> [165.245.130.101] 9090 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750709/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750709; rev:1;) alert tcp $HOME_NET any -> [138.91.32.183] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750707/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"powerbeat.ironstar.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750708/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"steelsync.ironstar.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750706/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ironcore.ironstar.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750705/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"greenlabel.pack12pear.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750704/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"localstore.pack12pear.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750701/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fruitpack.pack12pear.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750699/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750699; rev:1;) alert tcp $HOME_NET any -> [84.38.133.182] 41000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750698/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pearbox.pack12pear.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750697/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"warmtrack.sandwave.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750695/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usedteslabuyers.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750694/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pressureulcerlawyer.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750693/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biopranica.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750692/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"houstongaragedoorinstallers.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750691/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"goldensand.sandwave.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750690/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"donothg.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750688/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"francek.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750689/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rss.gadgetwalabd.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750686/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rss.alpinematters.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750687/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rss.gadgetwalabd.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750684/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rss.alpinematters.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750685/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"drywind.sandwave.coupons"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750683/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raterake.cfd"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750681/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750681; rev:1;) alert tcp $HOME_NET any -> [122.225.30.226] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750680/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750680; rev:1;) alert tcp $HOME_NET any -> [165.227.115.71] 5505 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750679/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"desertroad.sandwave.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750678/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750678; rev:1;) alert tcp $HOME_NET any -> [167.172.48.226] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750677/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750677; rev:1;) alert tcp $HOME_NET any -> [144.172.108.230] 9000 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750673/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"baseflow.box1fig7.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750672/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"roundpack.box1fig7.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750671/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750671; rev:1;) alert tcp $HOME_NET any -> [8.162.5.187] 14701 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750463/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.gorscts.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750468/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_19; classtype:trojan-activity; sid:91750468; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 44688 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750471/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"systemcore.murta46unprin.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750474/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750474; rev:1;) alert tcp $HOME_NET any -> [45.150.32.124] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750476/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750476; rev:1;) alert tcp $HOME_NET any -> [45.94.31.178] 8990 (msg:"ThreatFox DoublePulsar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750484/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/identity/route-sandbox.php"; depth:27; nocase; http.host; content:"hodorit.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750486/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hodorit.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750487/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/identity/rate-util.js"; depth:22; nocase; http.host; content:"hodorit.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750488/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/froute1"; depth:8; nocase; http.host; content:"cirealci.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750489/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zipp2"; depth:6; nocase; http.host; content:"185.33.87.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750490/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3mi05cn7h7k4ecsb.frostapi.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750491/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750491; rev:1;) alert tcp $HOME_NET any -> [206.123.132.224] 39558 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750494/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.48.206"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750495/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750495; rev:1;) alert tcp $HOME_NET any -> [198.244.201.139] 7181 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750497/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.exiled.fit"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750501/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750501; rev:1;) alert tcp $HOME_NET any -> [172.105.85.143] 20809 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750513/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5j1s.js"; depth:8; nocase; http.host; content:"mieyabi.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750515/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mieyabi.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750516/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"mieyabi.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750517/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750517; rev:1;) alert tcp $HOME_NET any -> [89.167.52.86] 853 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750523/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750523; rev:1;) alert tcp $HOME_NET any -> [146.70.181.238] 5675 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750525/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750525; rev:1;) alert tcp $HOME_NET any -> [172.111.162.252] 2620 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750538/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750538; rev:1;) alert tcp $HOME_NET any -> [23.26.129.38] 24024 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750540/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klob"; depth:5; nocase; http.host; content:"91.92.243.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750546/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750546; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 25340 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750557/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750557; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 51173 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750559/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750559; rev:1;) alert tcp $HOME_NET any -> [87.242.106.13] 64370 (msg:"ThreatFox NonEuclid RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750564/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750564; rev:1;) alert tcp $HOME_NET any -> [107.152.32.98] 2491 (msg:"ThreatFox DoublePulsar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750575/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750575; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 61682 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750577/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750577; rev:1;) alert tcp $HOME_NET any -> [128.90.102.133] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750596/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750596; rev:1;) alert tcp $HOME_NET any -> [112.68.47.218] 2323 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750612/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"linkflow.cloudbridge.city"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750613/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750613; rev:1;) alert tcp $HOME_NET any -> [147.185.221.181] 17288 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750620/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"26068482b66202d6ca29e1bb210288c8.444ef3f25893ae427338085e576fa9fb.traefik.default"; depth:81; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750630/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_19; classtype:trojan-activity; sid:91750630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"riverflow.natureway.city"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750639/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smartstep.urbanlab.city"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750650/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pulseview.urbanlab.city"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750651/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gridlock.urbanlab.city"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750654/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brightsky.starpoint.city"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750658/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"figstore.box1fig7.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750670/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"polygon.qbetfhwz.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750669/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate/health"; depth:12; nocase; http.host; content:"polygon.qbetfhwz.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750668/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"boxlayer.box1fig7.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750667/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750667; rev:1;) alert tcp $HOME_NET any -> [101.132.167.9] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750666/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750666; rev:1;) alert tcp $HOME_NET any -> [134.209.55.29] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750665/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"spacecore.goldstar.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750664/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"next-dance.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750663/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750663; rev:1;) alert tcp $HOME_NET any -> [94.73.17.125] 8088 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750662/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shinepoint.goldstar.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750661/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brightsky.goldstar.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750660/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"goldlight.goldstar.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750659/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pxkpoxt8.cabinetslyuka.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750656/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"52wyvwc0.cabinetslyuka.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750655/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750655; rev:1;) alert tcp $HOME_NET any -> [143.110.139.54] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750649/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750649; rev:1;) alert tcp $HOME_NET any -> [165.232.80.66] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750648/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750648; rev:1;) alert tcp $HOME_NET any -> [104.131.8.3] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750647/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750647; rev:1;) alert tcp $HOME_NET any -> [142.93.137.168] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750646/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750646; rev:1;) alert tcp $HOME_NET any -> [178.128.247.58] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750645/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750645; rev:1;) alert tcp $HOME_NET any -> [157.245.86.38] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750644/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750644; rev:1;) alert tcp $HOME_NET any -> [174.138.15.64] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750643/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750643; rev:1;) alert tcp $HOME_NET any -> [165.22.193.95] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750642/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750642; rev:1;) alert tcp $HOME_NET any -> [159.65.252.42] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750641/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750641; rev:1;) alert tcp $HOME_NET any -> [137.184.61.113] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750640/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wildtrack.natureway.city"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750638/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"earthmap.natureway.city"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750637/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750637; rev:1;) alert tcp $HOME_NET any -> [45.89.140.78] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750635/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750635; rev:1;) alert tcp $HOME_NET any -> [45.89.140.80] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750634/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750634; rev:1;) alert tcp $HOME_NET any -> [38.127.8.3] 443 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750633/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750633; rev:1;) alert tcp $HOME_NET any -> [130.164.164.220] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750632/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750632; rev:1;) alert tcp $HOME_NET any -> [3.81.3.110] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750631/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nexit-62461.portmap.host"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750625/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nexit-53294.portmap.host"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750624/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750624; rev:1;) alert tcp $HOME_NET any -> [156.246.95.51] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750623/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750623; rev:1;) alert tcp $HOME_NET any -> [165.232.45.1] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750622/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"greenleaf.natureway.city"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750617/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fastgate.cloudbridge.city"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750616/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"21.yunduans.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750615/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_19; classtype:trojan-activity; sid:91750615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"openport.cloudbridge.city"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750614/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"swiftcore.cloudbridge.city"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750611/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"greenleaf.mint5ship.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750610/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shipfresh.mint5ship.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750609/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shiftpoint.fastlane.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750608/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"drivelogic.fastlane.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750606/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"roadrunner.fastlane.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750605/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quickpath.fastlane.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750604/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chillstream.snowwind.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750603/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"purewhite.snowwind.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750602/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wintertrack.snowwind.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750601/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coldbreeze.snowwind.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750600/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sweetstock.plum63box.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750599/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"boxstore.plum63box.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750598/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"redplum.plum63box.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750597/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fruitcase.plum63box.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750595/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"solidleaf.rockwood.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750594/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stonepath.rockwood.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750593/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750593; rev:1;) alert tcp $HOME_NET any -> [78.12.9.38] 59161 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750592/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750592; rev:1;) alert tcp $HOME_NET any -> [43.209.225.147] 44819 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750591/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750591; rev:1;) alert tcp $HOME_NET any -> [54.89.163.179] 179 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750590/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750590; rev:1;) alert tcp $HOME_NET any -> [157.15.98.138] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750589/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_19; classtype:trojan-activity; sid:91750589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hardbranch.rockwood.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750588/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"forestroot.rockwood.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750587/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blueshell.bluewave.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750586/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coolsurf.bluewave.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750582/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"deepcoast.bluewave.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750580/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nightwave.bluewave.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750579/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"often-richmond.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750574/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750574; rev:1;) alert tcp $HOME_NET any -> [185.230.138.56] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750573/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750573; rev:1;) alert tcp $HOME_NET any -> [185.105.116.182] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750572/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750572; rev:1;) alert tcp $HOME_NET any -> [206.251.48.98] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750571/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750571; rev:1;) alert tcp $HOME_NET any -> [167.71.81.242] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750570/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750570; rev:1;) alert tcp $HOME_NET any -> [110.42.61.166] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750569/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scannerafiles.dynuddns.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750568/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scanersfiles.dynuddns.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750567/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"batchgit.cc"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750566/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mysticpoint.overdue13wizard.coupons"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750561/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wisepath.overdue13wizard.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750560/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jxjfs70p.cropin456spire.digital"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750556/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nhceoeow.cropin456spire.digital"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750555/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oldscroll.overdue13wizard.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750553/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"magicbook.overdue13wizard.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750552/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mentalpulse.conscious86jag.coupons"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750551/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"thoughtsync.conscious86jag.coupons"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750550/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750550; rev:1;) alert tcp $HOME_NET any -> [5.249.151.196] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750545/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"activebrain.conscious86jag.coupons"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750544/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mindwave.conscious86jag.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750542/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shieldpath.censure47contr.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750541/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750541; rev:1;) alert tcp $HOME_NET any -> [13.124.132.247] 3000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750536/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750536; rev:1;) alert tcp $HOME_NET any -> [16.63.0.161] 4502 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750535/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750535; rev:1;) alert tcp $HOME_NET any -> [208.85.23.90] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750534/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750534; rev:1;) alert tcp $HOME_NET any -> [72.60.141.53] 4321 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750533/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750533; rev:1;) alert tcp $HOME_NET any -> [45.88.186.116] 9999 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750532/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750532; rev:1;) alert tcp $HOME_NET any -> [52.90.185.134] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750531/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750531; rev:1;) alert tcp $HOME_NET any -> [3.81.3.110] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750530/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750530; rev:1;) alert tcp $HOME_NET any -> [178.62.249.117] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750529/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750529; rev:1;) alert tcp $HOME_NET any -> [95.179.191.226] 8000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750528/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750528; rev:1;) alert tcp $HOME_NET any -> [51.118.64.13] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750527/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750527; rev:1;) alert tcp $HOME_NET any -> [125.72.124.131] 4506 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750526/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"checknode.censure47contr.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750524/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rulebase.censure47contr.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750522/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"safeguard.censure47contr.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750521/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"comparepoint.comparis4sosun.coupons"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750518/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750518; rev:1;) alert tcp $HOME_NET any -> [121.37.183.136] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750512/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750512; rev:1;) alert tcp $HOME_NET any -> [161.97.173.185] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750511/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750511; rev:1;) alert tcp $HOME_NET any -> [95.179.191.226] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750510/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750510; rev:1;) alert tcp $HOME_NET any -> [45.76.119.110] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750509/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750509; rev:1;) alert tcp $HOME_NET any -> [50.114.179.25] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750508/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750508; rev:1;) alert tcp $HOME_NET any -> [138.91.32.183] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750506/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_18; classtype:trojan-activity; sid:91750506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"linkcheck.comparis4sosun.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750507/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750507; rev:1;) alert tcp $HOME_NET any -> [70.39.206.183] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750505/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750505; rev:1;) alert tcp $HOME_NET any -> [50.114.206.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750504/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750504; rev:1;) alert tcp $HOME_NET any -> [50.114.206.215] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750503/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"matchview.comparis4sosun.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750500/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dataledger.comparis4sosun.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750498/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"darkhost.elusive16soot.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750493/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"secretlink.elusive16soot.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750492/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hiddenscan.elusive16soot.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750485/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"isof63umlw.loclx.io"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750483/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"19z4t19x.matrimon63shadowy.digital"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750482/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8h6w2a84.matrimon63shadowy.digital"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750481/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shadowpath.elusive16soot.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750480/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.150.32.124"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1750478/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h1utmdojg.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750477/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"outputsync.murta46unprin.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750475/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"printflow.murta46unprin.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750472/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"workdeck.murta46unprin.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750470/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smartraise.probos7raise.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750469/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"growthstep.probos7raise.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750466/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"packpoint.pack1kiwi.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750465/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"localhub.pack1kiwi.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750462/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r3d.gadgetwalabd.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750460/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r3d.alpinematters.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750461/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"r3d.gadgetwalabd.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750458/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"r3d.alpinematters.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750459/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"boxstream.pack1kiwi.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750457/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"supplyline.pack1kiwi.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750456/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fruitline.kiwi5pack.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750455/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"usd56789.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750453/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sh1p-rnix.ship5plum.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750364/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"binadata.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750371/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_18; classtype:trojan-activity; sid:91750371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"still-sound-5eea.utkulukkar1982.workers.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750395/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750395; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 6060 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750406/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750406; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 7974 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750408/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750408; rev:1;) alert tcp $HOME_NET any -> [31.40.204.103] 1990 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750411/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sparkchickgame.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750426/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"sparkchickgame.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750427/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dlderi.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750428/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/helpu.php"; depth:10; nocase; http.host; content:"dlderi.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750429/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"dlderi.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750430/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.php"; depth:9; nocase; http.host; content:"dlderi.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750431/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sysmaintenancerequest.onrender.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750443/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750443; rev:1;) alert tcp $HOME_NET any -> [198.244.201.139] 2352 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750446/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kiwinode.kiwi5pack.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750451/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tas1/receptor.php"; depth:18; nocase; http.host; content:"saborizerefeicoes34.store"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750452/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"freshpack.kiwi5pack.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750447/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"greenstore.kiwi5pack.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750445/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hubtransit.ship9fig.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750444/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750444; rev:1;) alert tcp $HOME_NET any -> [13.124.132.247] 13000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750442/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750442; rev:1;) alert tcp $HOME_NET any -> [13.124.132.247] 10000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750441/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750441; rev:1;) alert tcp $HOME_NET any -> [13.124.132.247] 9200 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750440/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750440; rev:1;) alert tcp $HOME_NET any -> [13.124.132.247] 2000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750439/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750439; rev:1;) alert tcp $HOME_NET any -> [13.124.132.247] 51200 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750438/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750438; rev:1;) alert tcp $HOME_NET any -> [51.44.160.115] 4444 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750437/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750437; rev:1;) alert tcp $HOME_NET any -> [178.17.62.214] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750436/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sendpoint.ship9fig.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750434/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"globalpath.ship9fig.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750433/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"speedtrack.ship9fig.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750432/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marinenode.fig2ship.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750425/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"portentry.fig2ship.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750424/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oceanroute.fig2ship.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750423/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cargoflow.fig2ship.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750422/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b0x-rnark.box3pear.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750420/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"londonkc.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750419/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750419; rev:1;) alert tcp $HOME_NET any -> [51.15.0.28] 666 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750418/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.gorscts.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750417/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750417; rev:1;) alert tcp $HOME_NET any -> [189.155.125.225] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750416/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"luawhjkuk.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750415/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"consign.box3pear.coupons"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750414/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a5v9n.box3pear.coupons"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750413/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rn1l1t-vvex.military423pudd.coupons"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750412/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"outpost.military423pudd.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750410/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750410; rev:1;) alert tcp $HOME_NET any -> [185.237.207.98] 8443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750407/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r2k6d.military423pudd.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750405/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p3ar-llnk.pear6box.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750404/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"for.gadgetwalabd.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750402/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"for.alpinematters.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750403/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"container.pear6box.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750401/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p8x1m.pear6box.coupons"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750399/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p4ck-rnate.pack8mint.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750398/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0bbfbb85010e4111.php"; depth:21; nocase; http.host; content:"185.123.102.253"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750397/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"warehouse.pack8mint.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750396/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8574ba9c14cf4c8b.php"; depth:21; nocase; http.host; content:"91.196.33.68"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750393/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750393; rev:1;) alert tcp $HOME_NET any -> [103.45.68.122] 9001 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750392/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"en2k1164.dictationlow.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750391/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lvhthej9.dictationlow.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750390/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c9t5q.pack8mint.coupons"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750389/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b1ueg-vveld.blueg78rework.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750388/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"atelier.blueg78rework.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750387/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z3n7a.blueg78rework.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750386/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rn1nt-llow.mint4pack.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750385/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"crate.mint4pack.coupons"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750384/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m9r3p.mint4pack.coupons"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750383/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750383; rev:1;) alert tcp $HOME_NET any -> [168.245.203.207] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750382/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lqpoartdg.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750381/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mflk332-50294.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750380/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750380; rev:1;) alert tcp $HOME_NET any -> [102.117.167.30] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750379/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750379; rev:1;) alert tcp $HOME_NET any -> [147.45.60.69] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750377/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d1sapp-vvire.disapp43squithes.coupons"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750376/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"archive.disapp43squithes.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750374/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t6k2n.disapp43squithes.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750373/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750373; rev:1;) alert tcp $HOME_NET any -> [77.49.253.104] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750370/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"angelcameintheearthwithbestwishesforpers.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750369/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssutdf767dglmxf.dexlopenhouse.shop"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750368/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fenix35630.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750367/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sakurazuma.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750353/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"sakurazuma.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750354/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"manifest.ship5plum.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750362/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q4m8v.ship5plum.coupons"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750360/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p1urn-vvake.plum7ship.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750358/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750358; rev:1;) alert tcp $HOME_NET any -> [172.94.100.227] 29810 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750355/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"harbor.plum7ship.coupons"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750352/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750352; rev:1;) alert tcp $HOME_NET any -> [159.26.100.129] 53024 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750330/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x7p9a.plum7ship.coupons"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750350/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750350; rev:1;) alert tcp $HOME_NET any -> [192.236.154.249] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750343/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"beamglow.lightstream.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750344/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"11pinkbk.ydns.eu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750341/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"11pink.ydns.eu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750340/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"office001.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750336/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mainstreet.urbanpulse.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750333/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"se9bavje.lament42leave.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750332/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pdxevwsx.lament42leave.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750331/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750331; rev:1;) alert tcp $HOME_NET any -> [158.94.209.22] 35541 (msg:"ThreatFox AdWind botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750328/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"traffichub.urbanpulse.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750327/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"liveroad.urbanpulse.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750324/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750324; rev:1;) alert tcp $HOME_NET any -> [99.83.215.169] 8121 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750323/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750323; rev:1;) alert tcp $HOME_NET any -> [84.17.45.180] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750321/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750321; rev:1;) alert tcp $HOME_NET any -> [84.17.45.180] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750322/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750322; rev:1;) alert tcp $HOME_NET any -> [82.165.218.73] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750320/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750320; rev:1;) alert tcp $HOME_NET any -> [34.9.91.140] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750319/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750319; rev:1;) alert tcp $HOME_NET any -> [218.255.179.148] 36081 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750318/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750318; rev:1;) alert tcp $HOME_NET any -> [13.250.222.197] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750317/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750317; rev:1;) alert tcp $HOME_NET any -> [161.129.47.173] 56001 (msg:"ThreatFox PureRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750296/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750296; rev:1;) alert tcp $HOME_NET any -> [123.136.95.226] 1529 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750316/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750316; rev:1;) alert tcp $HOME_NET any -> [74.0.42.189] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750315/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750315; rev:1;) alert tcp $HOME_NET any -> [148.251.65.217] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750309/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750309; rev:1;) alert tcp $HOME_NET any -> [74.0.32.76] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750310/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750310; rev:1;) alert tcp $HOME_NET any -> [65.108.245.111] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750311/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750311; rev:1;) alert tcp $HOME_NET any -> [74.0.42.164] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750312/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750312; rev:1;) alert tcp $HOME_NET any -> [37.221.66.62] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750313/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750313; rev:1;) alert tcp $HOME_NET any -> [46.225.136.68] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750314/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tue.gadgetwalabd.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750307/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tue.alpinematters.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750308/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.225.136.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750305/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.42.189"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750306/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"148.251.65.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750299/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.32.76"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750300/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.108.245.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750301/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.130.47.218"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750302/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.42.164"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750303/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.221.66.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750304/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tue.gadgetwalabd.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750297/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tue.alpinematters.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750298/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750298; rev:1;) alert tcp $HOME_NET any -> [82.26.74.181] 7080 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750273/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750273; rev:1;) alert tcp $HOME_NET any -> [142.147.99.237] 56001 (msg:"ThreatFox PureRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750279/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750279; rev:1;) alert tcp $HOME_NET any -> [130.12.181.62] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750295/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750295; rev:1;) alert tcp $HOME_NET any -> [178.16.54.17] 46534 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750294/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750294; rev:1;) alert tcp $HOME_NET any -> [64.89.163.109] 7080 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750293/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750293; rev:1;) alert tcp $HOME_NET any -> [3.79.153.41] 48395 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750292/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750292; rev:1;) alert tcp $HOME_NET any -> [3.79.153.41] 8545 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750291/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750291; rev:1;) alert tcp $HOME_NET any -> [3.79.153.41] 50995 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750290/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750290; rev:1;) alert tcp $HOME_NET any -> [103.177.46.32] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750289/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750289; rev:1;) alert tcp $HOME_NET any -> [196.74.230.2] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750288/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750288; rev:1;) alert tcp $HOME_NET any -> [16.112.60.211] 503 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750287/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750287; rev:1;) alert tcp $HOME_NET any -> [56.124.17.113] 80 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750286/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750286; rev:1;) alert tcp $HOME_NET any -> [103.177.46.50] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750285/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750285; rev:1;) alert tcp $HOME_NET any -> [45.59.117.145] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750284/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kitsoinsbebeclique.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750283/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750283; rev:1;) alert tcp $HOME_NET any -> [176.10.118.147] 443 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750280/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750280; rev:1;) alert tcp $HOME_NET any -> [178.16.54.31] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750281/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750281; rev:1;) alert tcp $HOME_NET any -> [45.74.40.3] 2024 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750282/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750282; rev:1;) alert tcp $HOME_NET any -> [86.54.42.79] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750278/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"truckpig.cfd"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750275/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"healthiron.space"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750276/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"controlprice.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750277/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freumon.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750274/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"citypulse.urbanpulse.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750271/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750271; rev:1;) alert tcp $HOME_NET any -> [172.86.114.147] 1150 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750027/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"followahahaha.followz.st"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750080/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750080; rev:1;) alert tcp $HOME_NET any -> [194.169.175.191] 39002 (msg:"ThreatFox zgRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750083/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750083; rev:1;) alert tcp $HOME_NET any -> [78.29.43.89] 40689 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750101/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750101; rev:1;) alert tcp $HOME_NET any -> [23.234.88.233] 4444 (msg:"ThreatFox XenoRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750110/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750110; rev:1;) alert tcp $HOME_NET any -> [23.234.88.233] 34728 (msg:"ThreatFox XenoRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750112/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750112; rev:1;) alert tcp $HOME_NET any -> [156.205.97.11] 4444 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750115/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750115; rev:1;) alert tcp $HOME_NET any -> [8.148.70.84] 1984 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750163/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"set.74fkhlsdg12.la"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750238/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"greecpt.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750030/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_18; classtype:trojan-activity; sid:91750030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"datacloudhost4.baby"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750039/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bracesarlington.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750040/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serialmenot.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750079/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"urbanbike.velvetmaple.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750049/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"softgametime.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750092/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"softgametime.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750093/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"playdigitalzone.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750094/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"playdigitalzone.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750095/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kentexroofings.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750096/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"kentexroofings.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750097/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750097; rev:1;) alert tcp $HOME_NET any -> [130.12.182.109] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750264/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750264; rev:1;) alert tcp $HOME_NET any -> [46.151.182.245] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750265/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750265; rev:1;) alert tcp $HOME_NET any -> [178.16.52.166] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750266/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750266; rev:1;) alert tcp $HOME_NET any -> [62.60.226.193] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750267/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750267; rev:1;) alert tcp $HOME_NET any -> [62.60.226.199] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750268/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750268; rev:1;) alert tcp $HOME_NET any -> [176.117.107.186] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750269/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750269; rev:1;) alert tcp $HOME_NET any -> [130.12.181.219] 419 (msg:"ThreatFox Tofsee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750270/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_18; classtype:trojan-activity; sid:91750270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"saltcalc.oceansync.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750261/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"binclloudapp.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750260/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"activitydmy.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750258/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mnvgp.click"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750259/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"marle.io"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750257/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ndibstersoft.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750256/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"networkservice.cyou"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750255/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rompompomsigma.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750241/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"th6969.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750242/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"binance.comtr-katilim.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750243/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bchat.cc"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750244/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"beetongame.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750245/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tribusadao.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750246/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siriustimes.rocks"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750247/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"siriustimes.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750248/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"chiebi.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750249/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"red-letter.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750250/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cekrovnyshim.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750251/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ironswordzombiekiller.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750252/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"yourwrongwayz.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750253/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"theinvestcofund.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750254/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/sdsd"; depth:9; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750240/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"watersalt.oceansync.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750239/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750239; rev:1;) alert tcp $HOME_NET any -> [195.65.51.199] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750233/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750233; rev:1;) alert tcp $HOME_NET any -> [163.53.152.167] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750232/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750232; rev:1;) alert tcp $HOME_NET any -> [216.245.184.39] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750231/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750231; rev:1;) alert tcp $HOME_NET any -> [51.255.202.32] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750229/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750229; rev:1;) alert tcp $HOME_NET any -> [51.254.33.199] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750230/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750230; rev:1;) alert tcp $HOME_NET any -> [51.103.27.26] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750227/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750227; rev:1;) alert tcp $HOME_NET any -> [167.172.199.123] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750228/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750228; rev:1;) alert tcp $HOME_NET any -> [41.186.188.82] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750226/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750226; rev:1;) alert tcp $HOME_NET any -> [185.112.144.66] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750225/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_18; classtype:trojan-activity; sid:91750225; rev:1;) alert tcp $HOME_NET any -> [114.221.148.161] 47012 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750222/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750222; rev:1;) alert tcp $HOME_NET any -> [114.221.148.161] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750221/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750221; rev:1;) alert tcp $HOME_NET any -> [38.60.242.234] 64431 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750220/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_18; classtype:trojan-activity; sid:91750220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"deepblue.oceansync.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750219/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loudounmovingcompany.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750218/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toolitl.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750213/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unrepax.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750214/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imageod.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750215/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skiagro.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750216/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"untempf.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750217/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ectrodm.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750210/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greekcs.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750211/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"massng.club"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750212/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ballisr.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750208/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"capacif.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750209/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wavetide.oceansync.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750207/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"boltfix.metalheart.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750205/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gearsync.metalheart.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750204/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"62.182.81.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750203/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nerqnacjmdy3obvevyol7qhazkwkv57dwqvye5v46k5bcujtfa6sduad.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750202/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unrqdnruyae3bngm5txc6vgz7ny2fbdwjllzhq6eioew7te6xplyndid.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750199/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"khom5v7vmc2nomkze64dsbyenn3wlxkewg6dbsvt5sujl2rmrtfy4oid.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750200/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erqnacjmdy3obvevyol7qhazkwkv57dwqvye5v46k5bcujtfa6sduad.onion"; depth:61; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750201/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whodusp3s2z6rnenxhv7scc2w5fzsse5cmijll2vl7fo6ezk45zssjqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750192/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dwgxeoaqykd3zdkhol5xpgsqabp4lys4ea7qpl3f2b75b2sdsex644id.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750193/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usqa5b33yyc2u6kqf5au64cgj64acl2umtll76qutlmu7fckw6kh6wqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750194/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2msn5sp3af3iy2ozj4235ccsb7pnpp4tkzyxdpzutyc2sxb3mujicfyd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750195/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"esmhbczpio7umfnxog6bk23q3nok5fjuik2dttegvezqngg2oqklo7yd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750196/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpj6dzqat4n4hwb625a4qjpuzd3bzrjgw5zlwa3l6uiazdwjcib3y6ad.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750197/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sltc7wlafwiemito2kijqlxnmjgaxrrfihztjdl25vofh7kzvs7l5dqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750198/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"beatlead.metalheart.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750191/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"corepulse.metalheart.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750190/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750190; rev:1;) alert tcp $HOME_NET any -> [16.79.104.189] 51039 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750187/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750187; rev:1;) alert tcp $HOME_NET any -> [3.149.237.64] 53088 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750185/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750185; rev:1;) alert tcp $HOME_NET any -> [168.245.203.173] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750186/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750186; rev:1;) alert tcp $HOME_NET any -> [3.149.237.64] 32638 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750184/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750184; rev:1;) alert tcp $HOME_NET any -> [178.128.9.221] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750183/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750183; rev:1;) alert tcp $HOME_NET any -> [45.11.88.42] 5555 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750181/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750181; rev:1;) alert tcp $HOME_NET any -> [27.102.102.170] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750182/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750182; rev:1;) alert tcp $HOME_NET any -> [149.50.96.57] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750179/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750179; rev:1;) alert tcp $HOME_NET any -> [45.11.88.42] 2323 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750180/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750180; rev:1;) alert tcp $HOME_NET any -> [193.142.146.9] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750178/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hostserver.cloudtrace.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750177/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kittyland.gg"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750176/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750176; rev:1;) alert tcp $HOME_NET any -> [212.38.88.137] 7070 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750175/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750175; rev:1;) alert tcp $HOME_NET any -> [185.196.10.153] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750174/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750174; rev:1;) alert tcp $HOME_NET any -> [200.109.215.214] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750173/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750173; rev:1;) alert tcp $HOME_NET any -> [16.58.46.80] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750172/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flowcloud.cloudtrace.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750171/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"linkedge.cloudtrace.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750170/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"datastream.cloudtrace.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750169/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lookheat.nightvision.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750168/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sightzoom.nightvision.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750167/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"opticscan.nightvision.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750165/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"darkview.nightvision.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750162/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wildtimber.timberwalk.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750161/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"parkzone.timberwalk.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750160/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"woodpath.timberwalk.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750159/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"leafwalk.timberwalk.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750158/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"craftbase.stonecraft.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750157/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"layerstone.stonecraft.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750155/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hardform.stonecraft.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750154/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750154; rev:1;) alert tcp $HOME_NET any -> [54.246.13.29] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750153/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750153; rev:1;) alert tcp $HOME_NET any -> [43.210.161.136] 13676 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750151/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750151; rev:1;) alert tcp $HOME_NET any -> [175.41.229.219] 6006 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750152/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750152; rev:1;) alert tcp $HOME_NET any -> [56.68.116.159] 8808 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750150/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750150; rev:1;) alert tcp $HOME_NET any -> [199.101.111.182] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750149/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750149; rev:1;) alert tcp $HOME_NET any -> [144.172.107.162] 4321 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750148/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750148; rev:1;) alert tcp $HOME_NET any -> [128.90.115.176] 4433 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750147/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750147; rev:1;) alert tcp $HOME_NET any -> [165.227.242.98] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750146/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750146; rev:1;) alert tcp $HOME_NET any -> [193.26.115.167] 1000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750145/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750145; rev:1;) alert tcp $HOME_NET any -> [139.28.219.40] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750144/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4d54576e112f4297.php"; depth:21; nocase; http.host; content:"heradoux.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1750143/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_18; classtype:trojan-activity; sid:91750143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"solidrock.stonecraft.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750142/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"printflow.paperbridge.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750141/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"maildraft.paperbridge.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750140/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"workbridge.paperbridge.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750139/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750139; rev:1;) alert tcp $HOME_NET any -> [209.54.101.177] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750137/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"officedesk.paperbridge.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750136/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"basecommand.orbitalmap.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750135/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nodepoint.orbitalmap.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750133/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750133; rev:1;) alert tcp $HOME_NET any -> [150.139.132.244] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750130/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trenjamin-49547.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750131/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750131; rev:1;) alert tcp $HOME_NET any -> [69.167.11.146] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750129/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750129; rev:1;) alert tcp $HOME_NET any -> [35.173.190.86] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750128/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bkns-extrns.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750127/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750127; rev:1;) alert tcp $HOME_NET any -> [37.148.133.242] 1080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750126/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750126; rev:1;) alert tcp $HOME_NET any -> [4.246.90.81] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750125/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_17; classtype:trojan-activity; sid:91750125; rev:1;) alert tcp $HOME_NET any -> [43.134.163.224] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750123/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"president-rogers.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750124/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750124; rev:1;) alert tcp $HOME_NET any -> [103.165.81.230] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750120/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750120; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 60470 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750121/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750121; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 64425 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750122/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goodforlitme.dynuddns.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750119/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"trackorbit.orbitalmap.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750117/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"staratlas.orbitalmap.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750116/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sharpedge.glasspurity.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750111/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"discountfoodxyr.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750107/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"myfoodxrxcrccrcxs.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750106/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glasscube.glasspurity.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750105/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"purelight.glasspurity.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750104/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smoothrun.rapidflow.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750103/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quickstep.rapidflow.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750100/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fasttrack.rapidflow.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750099/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"greenleaf.ancienttree.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750098/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oldroot.ancienttree.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750091/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wiseword.ancienttree.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750090/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750090; rev:1;) alert tcp $HOME_NET any -> [155.117.40.221] 8080 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750089/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750089; rev:1;) alert tcp $HOME_NET any -> [45.114.61.57] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750088/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750088; rev:1;) alert tcp $HOME_NET any -> [38.127.8.3] 4444 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750087/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750087; rev:1;) alert tcp $HOME_NET any -> [157.245.38.61] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750086/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750086; rev:1;) alert tcp $HOME_NET any -> [207.148.81.32] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750085/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750085; rev:1;) alert tcp $HOME_NET any -> [47.119.178.247] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750084/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"heavychain.stronghold.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750082/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"metalkey.stronghold.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750081/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"irongate.stronghold.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750078/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"calmnight.gentlewind.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750077/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750077; rev:1;) alert tcp $HOME_NET any -> [151.243.109.247] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750076/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"summerday.gentlewind.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750075/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750075; rev:1;) alert tcp $HOME_NET any -> [1.94.166.110] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750074/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750074; rev:1;) alert tcp $HOME_NET any -> [178.16.55.160] 2323 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750071/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750071; rev:1;) alert tcp $HOME_NET any -> [43.157.1.71] 2323 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750072/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750072; rev:1;) alert tcp $HOME_NET any -> [43.157.1.71] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750073/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750073; rev:1;) alert tcp $HOME_NET any -> [54.205.232.150] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750070/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750070; rev:1;) alert tcp $HOME_NET any -> [34.205.26.40] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750069/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750069; rev:1;) alert tcp $HOME_NET any -> [100.54.32.98] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750068/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750068; rev:1;) alert tcp $HOME_NET any -> [187.209.26.195] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750067/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750067; rev:1;) alert tcp $HOME_NET any -> [34.9.91.140] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750066/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_17; classtype:trojan-activity; sid:91750066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"softbreeze.gentlewind.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750065/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iosdhlfsg.silverpeak.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750064/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"forestpath.silverpeak.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750063/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750063; rev:1;) alert tcp $HOME_NET any -> [158.94.210.135] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750062/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_17; classtype:trojan-activity; sid:91750062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"highmount.silverpeak.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750060/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wildriver.silverpeak.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750059/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"clearview.boldstone.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750058/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smartmind.boldstone.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750057/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brightidea.boldstone.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750056/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coldwater.frozenshell.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750055/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"deepdive.frozenshell.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750054/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blueocean.frozenshell.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750053/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"streetart.velvetmaple.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750052/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"citypulse.velvetmaple.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750051/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arbidmedhstbi-32780.portmap.host"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750050/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lekeleke-007-bk.ydns.eu"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750047/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gardenplan.swiftleaf.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750046/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bookclub.swiftleaf.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750041/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oxwv9bay.agitate6vagina.digital"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750038/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"morningcoffee.swiftleaf.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750037/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"33vq3044.agitate6vagina.digital"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750036/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p1urn-vvay.plum8express.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750034/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"priority.plum8express.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750033/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k4q8m.plum8express.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750032/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"grap3-llow.grape1shipping.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750031/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"consign.grape1shipping.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750029/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a5v9n.grape1shipping.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750028/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ch3rry-rnark.cherry5freight.coupons"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750026/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pallet.cherry5freight.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750025/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r2k6d.cherry5freight.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750024/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"app1e-vvex.apple2dispatch.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750023/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"routing.apple2dispatch.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750022/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p8x1m.apple2dispatch.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1750021/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750021; rev:1;) alert tcp $HOME_NET any -> [94.46.236.201] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750020/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750020; rev:1;) alert tcp $HOME_NET any -> [104.21.4.107] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750012/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750012; rev:1;) alert tcp $HOME_NET any -> [172.67.162.40] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750013/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750013; rev:1;) alert tcp $HOME_NET any -> [172.67.184.253] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750014/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750014; rev:1;) alert tcp $HOME_NET any -> [172.67.131.254] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750015/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750015; rev:1;) alert tcp $HOME_NET any -> [104.21.4.107] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750016/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750016; rev:1;) alert tcp $HOME_NET any -> [172.67.131.254] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750017/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750017; rev:1;) alert tcp $HOME_NET any -> [104.21.92.21] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750018/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750018; rev:1;) alert tcp $HOME_NET any -> [104.18.41.188] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750005/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750005; rev:1;) alert tcp $HOME_NET any -> [104.21.4.107] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750006/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750006; rev:1;) alert tcp $HOME_NET any -> [104.18.41.188] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750007/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750007; rev:1;) alert tcp $HOME_NET any -> [104.21.4.107] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750008/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750008; rev:1;) alert tcp $HOME_NET any -> [172.67.131.254] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750010/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750010; rev:1;) alert tcp $HOME_NET any -> [172.67.140.109] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750011/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750011; rev:1;) alert tcp $HOME_NET any -> [172.67.162.40] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749996/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749996; rev:1;) alert tcp $HOME_NET any -> [104.21.15.101] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749997/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749997; rev:1;) alert tcp $HOME_NET any -> [104.21.46.158] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749998/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749998; rev:1;) alert tcp $HOME_NET any -> [172.64.146.68] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749999/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749999; rev:1;) alert tcp $HOME_NET any -> [172.64.146.68] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750000/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750000; rev:1;) alert tcp $HOME_NET any -> [172.67.184.253] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750001/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750001; rev:1;) alert tcp $HOME_NET any -> [104.21.4.107] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750003/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750003; rev:1;) alert tcp $HOME_NET any -> [172.67.131.254] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1750004/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91750004; rev:1;) alert tcp $HOME_NET any -> [104.21.92.21] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749992/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749992; rev:1;) alert tcp $HOME_NET any -> [104.21.15.101] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749993/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749993; rev:1;) alert tcp $HOME_NET any -> [172.67.131.254] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749994/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hoxt1.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749991/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps30002026.kozow.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749990/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"killnnk.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749989/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"oculusr.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749987/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"psychob.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749988/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l3rn0n-llne.lemon8logistics.coupons"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749975/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"warehouse.lemon8logistics.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749974/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c9t5q.lemon8logistics.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749973/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rnang0-rnix.mango6courier.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749972/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"handoff.mango6courier.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749970/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z3n7a.mango6courier.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749969/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gamewinners.in.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749968/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_17; classtype:trojan-activity; sid:91749968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pl/js.php"; depth:10; nocase; http.host; content:"btceducationcenter.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749967/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_17; classtype:trojan-activity; sid:91749967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kittycom.doxxing.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749966/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_17; classtype:trojan-activity; sid:91749966; rev:1;) alert tcp $HOME_NET any -> [8.7.207.129] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749965/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_17; classtype:trojan-activity; sid:91749965; rev:1;) alert tcp $HOME_NET any -> [58.217.132.58] 54321 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749964/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_17; classtype:trojan-activity; sid:91749964; rev:1;) alert tcp $HOME_NET any -> [81.169.151.12] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749963/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_17; classtype:trojan-activity; sid:91749963; rev:1;) alert tcp $HOME_NET any -> [38.60.220.157] 443 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749962/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_17; classtype:trojan-activity; sid:91749962; rev:1;) alert tcp $HOME_NET any -> [51.38.220.225] 9443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749961/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_17; classtype:trojan-activity; sid:91749961; rev:1;) alert tcp $HOME_NET any -> [64.176.37.51] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749960/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_17; classtype:trojan-activity; sid:91749960; rev:1;) alert tcp $HOME_NET any -> [46.224.122.140] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749957/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_17; classtype:trojan-activity; sid:91749957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0live-vvork.olive4parcel.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749958/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749958; rev:1;) alert tcp $HOME_NET any -> [144.172.116.13] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749959/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_17; classtype:trojan-activity; sid:91749959; rev:1;) alert tcp $HOME_NET any -> [31.45.231.174] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749955/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_17; classtype:trojan-activity; sid:91749955; rev:1;) alert tcp $HOME_NET any -> [202.61.137.217] 9002 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749956/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_17; classtype:trojan-activity; sid:91749956; rev:1;) alert tcp $HOME_NET any -> [216.245.184.39] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749954/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_17; classtype:trojan-activity; sid:91749954; rev:1;) alert tcp $HOME_NET any -> [107.173.3.9] 1111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749953/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_17; classtype:trojan-activity; sid:91749953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q97fo1tt.chattytolet.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749952/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0ufhrxly.chattytolet.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749951/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"waybill.olive4parcel.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749949/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mikantiz.ansmtpariba.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749948/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_17; classtype:trojan-activity; sid:91749948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m9r3p.olive4parcel.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749947/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"greecpt.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749946/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749946; rev:1;) alert tcp $HOME_NET any -> [112.87.174.223] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749945/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749945; rev:1;) alert tcp $HOME_NET any -> [3.237.94.23] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749944/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749944; rev:1;) alert tcp $HOME_NET any -> [193.42.246.38] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749943/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mythic.tail737292.ts.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749942/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749942; rev:1;) alert tcp $HOME_NET any -> [104.37.5.228] 29810 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749940/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749940; rev:1;) alert tcp $HOME_NET any -> [154.219.97.238] 5758 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749941/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_17; classtype:trojan-activity; sid:91749941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b3rry-rnove.berry9shipment.coupons"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749939/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749939; rev:1;) alert tcp $HOME_NET any -> [172.104.48.174] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749938/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_17; classtype:trojan-activity; sid:91749938; rev:1;) alert tcp $HOME_NET any -> [185.237.207.216] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749937/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"manifest.berry9shipment.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749936/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t6k2n.berry9shipment.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749935/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p3ach-llnk.peach3package.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749933/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"f1231561.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749929/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749929; rev:1;) alert tcp $HOME_NET any -> [194.59.30.30] 2017 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749932/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dinoswamachine.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749930/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_17; classtype:trojan-activity; sid:91749930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"crate.peach3package.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749928/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749928; rev:1;) alert tcp $HOME_NET any -> [172.86.113.29] 8445 (msg:"ThreatFox PureRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749916/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ni7zcfqx.gas98generator.digital"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749926/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zgxymk8f.gas98generator.digital"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749925/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749925; rev:1;) alert tcp $HOME_NET any -> [38.246.251.131] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749920/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q4m8v.peach3package.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749919/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rnint-vvave.mint7delivery.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749918/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"courier.mint7delivery.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749915/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"christinehoffman.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749914/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x7p9a.mint7delivery.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749913/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749913; rev:1;) alert tcp $HOME_NET any -> [128.0.1.9] 9302 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749859/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749859; rev:1;) alert tcp $HOME_NET any -> [80.46.218.20] 4444 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749889/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bnr.international"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749898/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_17; classtype:trojan-activity; sid:91749898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agitate6vagina.digital"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749912/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"youngjo.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749911/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749911; rev:1;) alert tcp $HOME_NET any -> [64.176.37.51] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749910/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749910; rev:1;) alert tcp $HOME_NET any -> [144.31.221.96] 4444 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749909/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749909; rev:1;) alert tcp $HOME_NET any -> [193.29.13.97] 5885 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749908/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749908; rev:1;) alert tcp $HOME_NET any -> [102.98.120.190] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749907/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749907; rev:1;) alert tcp $HOME_NET any -> [54.209.247.186] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749906/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749906; rev:1;) alert tcp $HOME_NET any -> [47.110.69.92] 1042 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749905/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gi9d0czb.serve5woodman.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749903/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3k71xodj.serve5woodman.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749902/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"futureplan.brightminds.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749896/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749896; rev:1;) alert tcp $HOME_NET any -> [192.109.200.61] 1912 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749890/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749890; rev:1;) alert tcp $HOME_NET any -> [62.164.177.107] 15847 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749891/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749891; rev:1;) alert tcp $HOME_NET any -> [184.164.77.50] 5775 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749892/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wiseword.brightminds.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749888/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aircraftinteriorandpaint.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749886/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phoenixfilmproductions.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749885/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"force-007-bk.ydns.eu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749884/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749884; rev:1;) alert tcp $HOME_NET any -> [101.132.167.9] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749883/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749883; rev:1;) alert tcp $HOME_NET any -> [23.52.4.92] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749882/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_17; classtype:trojan-activity; sid:91749882; rev:1;) alert tcp $HOME_NET any -> [23.52.4.92] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749881/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_17; classtype:trojan-activity; sid:91749881; rev:1;) alert tcp $HOME_NET any -> [119.91.54.176] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749880/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_17; classtype:trojan-activity; sid:91749880; rev:1;) alert tcp $HOME_NET any -> [119.91.54.176] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749879/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_17; classtype:trojan-activity; sid:91749879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"warmshore.gentlewave.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749878/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"summerbreeze.gentlewave.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749875/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kenaifj.live"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749874/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"captaid.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749873/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diplomi.live"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749869/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"schoole.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749870/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leafyrm.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749871/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"automaf.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749872/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"littlep.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749868/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"calmwater.gentlewave.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749867/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"strongmetal.ironpulse.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749865/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smoothride.velvetroad.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749863/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"redcarpet.velvetroad.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749860/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"softtouch.velvetroad.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749855/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749855; rev:1;) alert tcp $HOME_NET any -> [64.225.101.164] 2096 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749854/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_17; classtype:trojan-activity; sid:91749854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m9jn8b8q.ostroy56sagacious.digital"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749853/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3uwms13u.ostroy56sagacious.digital"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749852/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"longway.hiddenpath.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749851/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749851; rev:1;) alert tcp $HOME_NET any -> [168.245.203.151] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749850/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749850; rev:1;) alert tcp $HOME_NET any -> [23.236.64.238] 8080 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749849/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749849; rev:1;) alert tcp $HOME_NET any -> [98.86.172.85] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749848/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749848; rev:1;) alert tcp $HOME_NET any -> [98.87.167.138] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749847/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749847; rev:1;) alert tcp $HOME_NET any -> [95.163.86.204] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749846/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749846; rev:1;) alert tcp $HOME_NET any -> [64.89.163.98] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749845/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749845; rev:1;) alert tcp $HOME_NET any -> [172.86.126.99] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749839/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749839; rev:1;) alert tcp $HOME_NET any -> [188.245.84.214] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749840/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749840; rev:1;) alert tcp $HOME_NET any -> [188.245.95.148] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749841/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749841; rev:1;) alert tcp $HOME_NET any -> [89.167.66.199] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749842/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749842; rev:1;) alert tcp $HOME_NET any -> [65.21.165.15] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749843/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749843; rev:1;) alert tcp $HOME_NET any -> [217.156.66.67] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749844/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749844; rev:1;) alert tcp $HOME_NET any -> [89.167.61.22] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749838/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.21.165.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749835/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"217.156.66.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749836/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.245.92.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749837/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"89.167.61.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749829/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"172.86.126.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749830/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.245.84.214"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749831/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.225.141.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749832/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.245.95.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749833/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"89.167.66.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749834/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lostforest.hiddenpath.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749828/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"secretdoor.hiddenpath.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749827/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pnl.gadgetwalabd.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749824/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pnl.alpinematters.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749825/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iceshore.frozengrove.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749823/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pnl.gadgetwalabd.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749821/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pnl.alpinematters.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749822/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"puresnow.frozengrove.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749818/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"obiproject2026.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749817/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_17; classtype:trojan-activity; sid:91749817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"coscoshippingjp.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749816/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_17; classtype:trojan-activity; sid:91749816; rev:1;) alert tcp $HOME_NET any -> [5.252.153.240] 2055 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749795/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"winterland.frozengrove.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749815/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"clearfocus.boldvision.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749813/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749813; rev:1;) alert tcp $HOME_NET any -> [3.85.107.177] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749812/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749812; rev:1;) alert tcp $HOME_NET any -> [66.42.49.168] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749811/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smartstep.boldvision.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749810/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"insectwoman.space"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749806/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quartershoes.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749807/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lakecars.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749808/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newidea.boldvision.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749796/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"deepblue.silentpeak.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749792/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"33vy2hv2v7hoy4q.sbs"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749535/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.222.99.212"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749536/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_17; classtype:trojan-activity; sid:91749536; rev:1;) alert tcp $HOME_NET any -> [185.177.57.81] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749537/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_17; classtype:trojan-activity; sid:91749537; rev:1;) alert tcp $HOME_NET any -> [39.99.25.80] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749764/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749764; rev:1;) alert tcp $HOME_NET any -> [82.26.74.181] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749781/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749781; rev:1;) alert tcp $HOME_NET any -> [165.245.189.98] 8008 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749782/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hayesmed.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749488/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_17; classtype:trojan-activity; sid:91749488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"regancontrols.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749487/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_17; classtype:trojan-activity; sid:91749487; rev:1;) alert tcp $HOME_NET any -> [95.148.150.125] 3074 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749485/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749485; rev:1;) alert tcp $HOME_NET any -> [107.152.32.98] 3919 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749478/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749478; rev:1;) alert tcp $HOME_NET any -> [172.94.9.74] 8279 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749467/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749467; rev:1;) alert tcp $HOME_NET any -> [138.199.59.4] 60736 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749466/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749466; rev:1;) alert tcp $HOME_NET any -> [152.89.162.5] 50481 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749464/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749464; rev:1;) alert tcp $HOME_NET any -> [16.78.248.241] 4832 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749461/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sfkjsdhfsdfsdhsken.cfd"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749421/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"highstone.silentpeak.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749790/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749790; rev:1;) alert tcp $HOME_NET any -> [77.223.83.36] 1111 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749788/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"recently-dsc.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749789/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"littlep.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749787/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coldwind.silentpeak.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749785/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oldbridge.urbanharvest.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749784/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749784; rev:1;) alert tcp $HOME_NET any -> [193.222.99.212] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749780/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749780; rev:1;) alert tcp $HOME_NET any -> [108.242.221.141] 1337 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749779/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749779; rev:1;) alert tcp $HOME_NET any -> [168.245.203.163] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749777/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749777; rev:1;) alert tcp $HOME_NET any -> [168.245.203.135] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749778/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749778; rev:1;) alert tcp $HOME_NET any -> [168.245.203.174] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749776/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749776; rev:1;) alert tcp $HOME_NET any -> [185.196.10.153] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749775/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749775; rev:1;) alert tcp $HOME_NET any -> [155.117.42.89] 3387 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749774/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"premium303202101-62037.portmap.host"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749770/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service.viewdns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749769/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749769; rev:1;) alert tcp $HOME_NET any -> [197.144.114.233] 5000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749768/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749768; rev:1;) alert tcp $HOME_NET any -> [155.117.42.89] 3390 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749767/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749767; rev:1;) alert tcp $HOME_NET any -> [178.16.54.125] 8281 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749766/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749766; rev:1;) alert tcp $HOME_NET any -> [172.104.48.174] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749765/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_17; classtype:trojan-activity; sid:91749765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"greenpark.urbanharvest.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749538/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"citylight.urbanharvest.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749534/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"openfield.swiftmotion.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749533/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fastsky.swiftmotion.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749530/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"darkriver.swiftmotion.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749529/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"freshbreeze.sandbox-proxy-diagnostic.coupons"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749527/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"redstone.sandbox-proxy-diagnostic.coupons"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749526/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smartcloud.sandbox-proxy-diagnostic.coupons"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749525/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wildriver.runtime-error-handler.coupons"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749524/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"goldenapple.runtime-error-handler.coupons"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749522/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749522; rev:1;) alert tcp $HOME_NET any -> [193.222.99.212] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749521/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749521; rev:1;) alert tcp $HOME_NET any -> [16.63.172.13] 2003 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749519/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749519; rev:1;) alert tcp $HOME_NET any -> [16.63.172.13] 21403 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749520/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749520; rev:1;) alert tcp $HOME_NET any -> [168.245.203.115] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749517/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749517; rev:1;) alert tcp $HOME_NET any -> [16.63.172.13] 103 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749518/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749518; rev:1;) alert tcp $HOME_NET any -> [168.245.203.105] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749516/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749516; rev:1;) alert tcp $HOME_NET any -> [168.245.203.102] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749515/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749515; rev:1;) alert tcp $HOME_NET any -> [89.190.158.76] 80 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749514/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749514; rev:1;) alert tcp $HOME_NET any -> [192.117.9.22] 1443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749513/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749513; rev:1;) alert tcp $HOME_NET any -> [164.90.161.126] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749512/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749512; rev:1;) alert tcp $HOME_NET any -> [172.111.162.252] 5050 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749511/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749511; rev:1;) alert tcp $HOME_NET any -> [107.189.22.184] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749510/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749510; rev:1;) alert tcp $HOME_NET any -> [34.92.40.186] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749509/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_17; classtype:trojan-activity; sid:91749509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"greenforest.runtime-error-handler.coupons"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749508/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brightstar.endpoint-metrics-internal.coupons"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749507/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"silverleaf.endpoint-metrics-internal.coupons"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749505/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0bz6vz64.blue128cinder.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749504/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w53zv1lx.blue128cinder.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749503/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blueocean.endpoint-metrics-internal.coupons"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749502/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flowerskitty.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749501/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749501; rev:1;) alert tcp $HOME_NET any -> [192.159.99.94] 4433 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749500/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749500; rev:1;) alert tcp $HOME_NET any -> [54.196.248.194] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749499/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749499; rev:1;) alert tcp $HOME_NET any -> [20.251.145.93] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749498/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749498; rev:1;) alert tcp $HOME_NET any -> [91.99.225.223] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749497/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749497; rev:1;) alert tcp $HOME_NET any -> [39.106.133.52] 18443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749496/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"report-stream-55.dev-trace-analyzer.coupons"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749495/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thedigitalphotos.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749494/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t-9.dev-trace-analyzer.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749493/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w-4.syslog-remote-buffer.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749492/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"buffer-temp-a.syslog-remote-buffer.coupons"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749491/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"log33.syslog-remote-buffer.coupons"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749490/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r12.extension-health-sync.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749489/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sync-v-8.extension-health-sync.coupons"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749486/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q-set.extension-health-sync.coupons"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749482/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p77.debug-edge-cases.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749480/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gateway-node-x.debug-edge-cases.coupons"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749477/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"user29.debug-edge-cases.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749476/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b-3.stackdump-collector.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749475/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"unique-trace-id.stackdump-collector.coupons"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749474/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pachisuave.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749473/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m-91.stackdump-collector.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749472/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749472; rev:1;) alert tcp $HOME_NET any -> [2.56.172.45] 8793 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749471/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z-node.telemetry-api-v1.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749470/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"session-8201.telemetry-api-v1.coupons"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749469/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v-ref.telemetry-api-v1.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749462/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749462; rev:1;) alert tcp $HOME_NET any -> [35.156.10.131] 4839 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749460/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749460; rev:1;) alert tcp $HOME_NET any -> [94.237.27.113] 8001 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749459/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749459; rev:1;) alert tcp $HOME_NET any -> [64.176.37.51] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749458/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749458; rev:1;) alert tcp $HOME_NET any -> [45.32.165.239] 2012 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749457/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x8.browser-crash-report.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749456/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"proc-9-auth.browser-crash-report.coupons"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749454/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"id662.browser-crash-report.coupons"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749447/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749447; rev:1;) alert tcp $HOME_NET any -> [5.101.86.27] 46321 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749445/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749445; rev:1;) alert tcp $HOME_NET any -> [218.255.179.148] 36123 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749444/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749444; rev:1;) alert tcp $HOME_NET any -> [223.109.212.168] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749443/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.armpentest.ink"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749442/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749442; rev:1;) alert tcp $HOME_NET any -> [31.141.178.107] 5130 (msg:"ThreatFox Ares botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749441/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_16; classtype:trojan-activity; sid:91749441; rev:1;) alert tcp $HOME_NET any -> [102.117.165.185] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749440/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749440; rev:1;) alert tcp $HOME_NET any -> [155.138.161.225] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749439/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749439; rev:1;) alert tcp $HOME_NET any -> [2.59.218.208] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749438/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_16; classtype:trojan-activity; sid:91749438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q80.eisenherz.coupons"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749437/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749437; rev:1;) alert tcp $HOME_NET any -> [144.31.101.142] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749436/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749436; rev:1;) alert tcp $HOME_NET any -> [31.57.219.101] 2005 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749434/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749434; rev:1;) alert tcp $HOME_NET any -> [129.226.150.94] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749433/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hansonscarriers.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749432/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749432; rev:1;) alert tcp $HOME_NET any -> [107.189.17.96] 44999 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749431/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749431; rev:1;) alert tcp $HOME_NET any -> [188.245.92.11] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749429/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"id-9921-auth.eisenherz.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749428/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p-link.eisenherz.coupons"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749425/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"217.156.66.135"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1749424/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cryaesa.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749423/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"horus65-58899.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749422/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z99.clairsol.coupons"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749420/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fast-path-x.clairsol.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749416/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749416; rev:1;) alert tcp $HOME_NET any -> [23.104.160.115] 8890 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749413/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749413; rev:1;) alert tcp $HOME_NET any -> [23.104.160.116] 9963 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749414/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m3921.clairsol.coupons"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749412/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749412; rev:1;) alert tcp $HOME_NET any -> [5.251.45.147] 40500 (msg:"ThreatFox Phorpiex botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749399/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v-n-v.zeitgeist.coupons"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749411/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"unique-set-02.zeitgeist.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749410/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"trck.zeitgeist.coupons"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749409/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"isb.alpinematters.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749408/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"isb.gadgetwalabd.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749407/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"isb.gadgetwalabd.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749405/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"isb.alpinematters.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749406/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k-7.mainsage.coupons"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749404/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aliveto.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749403/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"session-id-a9.mainsage.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749402/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bnt11.mainsage.coupons"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749401/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"customer-ref-91.goldberg.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749400/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xqz-p.goldberg.coupons"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749398/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u842.goldberg.coupons"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749397/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shenron19862.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749396/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749396; rev:1;) alert tcp $HOME_NET any -> [37.114.46.213] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749393/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749393; rev:1;) alert tcp $HOME_NET any -> [37.114.46.213] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749394/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749394; rev:1;) alert tcp $HOME_NET any -> [37.114.46.213] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749395/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cattlegold.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749389/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bikesdonkey.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749390/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"instrumentvolcano.space"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749391/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"homefireman.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749392/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749392; rev:1;) alert tcp $HOME_NET any -> [37.114.46.213] 4042 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749388/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"edge-99.vertjardin.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749387/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"direct-access-point.vertjardin.coupons"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749385/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kyc.kyowlmsapcxxx.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749384/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jyx7jwja.blue128cinder.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749383/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"app.vertjardin.coupons"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749382/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rz8u2m81.blue128cinder.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749381/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749381; rev:1;) alert tcp $HOME_NET any -> [151.64.6.123] 8080 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749380/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749380; rev:1;) alert tcp $HOME_NET any -> [13.244.92.6] 2455 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749379/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frechkotikru-221.icu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749376/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noelmeowru-339.icu"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749377/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"huligankotru-451.icu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749378/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uri2df93.blue128cinder.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749375/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"6qgqyv15.blue128cinder.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749374/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"auth-global-zone.schnellauf.coupons"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749373/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dl.schnellauf.coupons"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749372/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749372; rev:1;) alert tcp $HOME_NET any -> [197.26.167.133] 37215 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749331/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hyp0-vvrite.capitul98hypo.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749343/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gate-v7.nuitetoile.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749369/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"external-web-node.nuitetoile.coupons"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749368/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"api.nuitetoile.coupons"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749366/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"node44.starkwind.coupons"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749365/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"data-transfer-srv.starkwind.coupons"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749363/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ws.starkwind.coupons"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749362/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"client.signin-katapult.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749361/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shareitdownload.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749360/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749360; rev:1;) alert tcp $HOME_NET any -> [185.36.191.6] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749353/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749353; rev:1;) alert tcp $HOME_NET any -> [193.22.96.22] 8090 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749354/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749354; rev:1;) alert tcp $HOME_NET any -> [212.90.190.137] 465 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749355/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749355; rev:1;) alert tcp $HOME_NET any -> [213.177.179.35] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749356/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749356; rev:1;) alert tcp $HOME_NET any -> [213.177.179.35] 8279 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749357/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chiwatoken.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749359/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749359; rev:1;) alert tcp $HOME_NET any -> [172.94.9.74] 49309 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749350/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749350; rev:1;) alert tcp $HOME_NET any -> [172.94.9.74] 59887 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749351/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749351; rev:1;) alert tcp $HOME_NET any -> [176.107.176.77] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749352/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749352; rev:1;) alert tcp $HOME_NET any -> [169.40.135.21] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749349/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749349; rev:1;) alert tcp $HOME_NET any -> [109.248.151.177] 2003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749348/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn-b9.bleuforet.coupons"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749347/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"secure-cloud-link.bleuforet.coupons"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749346/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v1.bleuforet.coupons"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749344/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"treatise.capitul98hypo.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749342/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a5v9n.capitul98hypo.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749341/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f0ur-rnark.four486stop.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749340/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"waypoint.four486stop.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749339/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749339; rev:1;) alert tcp $HOME_NET any -> [45.92.1.219] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749338/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"222.255.100.119"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749337/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kimikanovps1111.beauty"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749336/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"coinbasehideuiqp.cc"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749335/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.jira.devergent.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749334/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/982c183d8a9835c6.php"; depth:21; nocase; http.host; content:"45.11.92.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749333/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r2k6d.four486stop.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749332/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"st0ne-vvyrd.stone48tyranny.coupons"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749330/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"monolith.stone48tyranny.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749329/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749329; rev:1;) alert tcp $HOME_NET any -> [103.50.255.100] 10086 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749316/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749316; rev:1;) alert tcp $HOME_NET any -> [185.91.127.179] 555 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749321/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749321; rev:1;) alert tcp $HOME_NET any -> [124.135.18.68] 2323 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749323/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749323; rev:1;) alert tcp $HOME_NET any -> [41.9.52.105] 37215 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749325/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749325; rev:1;) alert tcp $HOME_NET any -> [45.83.207.188] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749328/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p8x1m.stone48tyranny.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749327/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"si1h0uette-llnk.paw85silhouette.coupons"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749324/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749324; rev:1;) alert tcp $HOME_NET any -> [31.45.231.174] 10000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749320/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749320; rev:1;) alert tcp $HOME_NET any -> [151.243.109.247] 8888 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749319/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"contour.paw85silhouette.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749317/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c9t5q.paw85silhouette.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749315/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"sdn-cloudflare-js-botstrup.click"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749189/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"2fa-cp.click"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749191/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"restapiserv.click"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749192/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"str-smcontrcats.cfd"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749193/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"poygon-notifications.click"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749194/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"img-cdn-cloud.click"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749195/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"cdn-js-conhost.click"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749198/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"nascdn-js.click"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749199/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"cdn-server-styles.click"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749201/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"rpc-framework-check.click"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749204/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"cdn2-server.click"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749206/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"styles-get-img.cfd"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749207/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"dev-js-cdn.cfd"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749209/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"sdn-cloudflare-js.click"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749210/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"cloud-safe.click"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749211/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"sdn-cloudflare-js-css.click"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749212/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"firazit.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749271/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"firazit.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749272/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749272; rev:1;) alert tcp $HOME_NET any -> [209.54.103.189] 63712 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749273/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749273; rev:1;) alert tcp $HOME_NET any -> [185.246.223.69] 56001 (msg:"ThreatFox PureRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749287/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hecker12345-61516.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749313/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"software-garlic.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749312/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749312; rev:1;) alert tcp $HOME_NET any -> [103.177.47.216] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749311/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749311; rev:1;) alert tcp $HOME_NET any -> [103.177.47.175] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749310/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749310; rev:1;) alert tcp $HOME_NET any -> [103.177.47.212] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749309/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749309; rev:1;) alert tcp $HOME_NET any -> [94.237.101.201] 8080 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749308/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749308; rev:1;) alert tcp $HOME_NET any -> [170.187.205.218] 8080 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749307/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749307; rev:1;) alert tcp $HOME_NET any -> [179.95.122.188] 9990 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749306/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749306; rev:1;) alert tcp $HOME_NET any -> [172.65.239.53] 8443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749305/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749305; rev:1;) alert tcp $HOME_NET any -> [178.16.52.127] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749304/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rep0rt-rnix.reporter9speck.coupons"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749303/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dispatch.reporter9speck.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749301/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pic.gadgetwalabd.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749299/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pic.alpinematters.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749300/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pic.gadgetwalabd.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749297/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pic.alpinematters.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749298/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z3n7a.reporter9speck.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749296/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p1trnan-vvex.pitman123wid.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749295/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxblessings.minhaempresa.tv"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749294/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749294; rev:1;) alert tcp $HOME_NET any -> [24.74.213.251] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749293/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749293; rev:1;) alert tcp $HOME_NET any -> [134.209.30.4] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749292/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arhibooks.radio.fm"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749290/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"journal-complete.sa.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749291/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ledger.pitman123wid.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749288/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m9r3p.pitman123wid.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749286/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3aofxgg5.orbit44kind.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749285/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h698pw1r.orbit44kind.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749284/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kh10p0-rnate.khlopotun6turn.coupons"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749283/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ruruurururururu.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749278/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"workshop.khlopotun6turn.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749274/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t6k2n.khlopotun6turn.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749270/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749270; rev:1;) alert tcp $HOME_NET any -> [47.96.81.247] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749267/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749267; rev:1;) alert tcp $HOME_NET any -> [155.103.71.207] 19924 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749266/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"six.aaahorneswell.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749265/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"58winn.store"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749263/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"onirban.in.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749264/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"be1ieve-vvave.believein41fant.coupons"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749261/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749261; rev:1;) alert tcp $HOME_NET any -> [185.100.233.121] 80 (msg:"ThreatFox Fickle Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749260/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749260; rev:1;) alert tcp $HOME_NET any -> [121.89.205.206] 19090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749259/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749259; rev:1;) alert tcp $HOME_NET any -> [153.120.135.216] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749258/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749258; rev:1;) alert tcp $HOME_NET any -> [176.133.239.174] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749257/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749257; rev:1;) alert tcp $HOME_NET any -> [86.104.9.131] 9446 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749256/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749256; rev:1;) alert tcp $HOME_NET any -> [156.223.82.207] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749255/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749255; rev:1;) alert tcp $HOME_NET any -> [71.89.141.8] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749253/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749253; rev:1;) alert tcp $HOME_NET any -> [52.202.90.227] 8494 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749254/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749254; rev:1;) alert tcp $HOME_NET any -> [5.160.135.38] 8099 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749251/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749251; rev:1;) alert tcp $HOME_NET any -> [149.12.67.250] 6379 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749252/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749252; rev:1;) alert tcp $HOME_NET any -> [93.144.96.45] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749250/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749250; rev:1;) alert tcp $HOME_NET any -> [27.102.137.38] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749248/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749248; rev:1;) alert tcp $HOME_NET any -> [27.102.138.150] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749247/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749247; rev:1;) alert tcp $HOME_NET any -> [27.102.138.144] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749246/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"horizon.believein41fant.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749245/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749245; rev:1;) alert tcp $HOME_NET any -> [103.153.61.202] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749243/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749243; rev:1;) alert tcp $HOME_NET any -> [15.236.165.20] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749244/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749244; rev:1;) alert tcp $HOME_NET any -> [34.101.131.221] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749240/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749240; rev:1;) alert tcp $HOME_NET any -> [181.174.165.128] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749241/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749241; rev:1;) alert tcp $HOME_NET any -> [34.30.77.194] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749242/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749242; rev:1;) alert tcp $HOME_NET any -> [79.148.106.231] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749239/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749239; rev:1;) alert tcp $HOME_NET any -> [45.12.2.166] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749238/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749238; rev:1;) alert tcp $HOME_NET any -> [195.177.94.132] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749237/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749237; rev:1;) alert tcp $HOME_NET any -> [138.197.145.94] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749235/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749235; rev:1;) alert tcp $HOME_NET any -> [144.172.106.173] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749236/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749236; rev:1;) alert tcp $HOME_NET any -> [176.119.148.130] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749232/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749232; rev:1;) alert tcp $HOME_NET any -> [138.201.198.73] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749233/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749233; rev:1;) alert tcp $HOME_NET any -> [138.68.254.126] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749234/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749234; rev:1;) alert tcp $HOME_NET any -> [216.128.145.180] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749230/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749230; rev:1;) alert tcp $HOME_NET any -> [178.128.65.29] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749231/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749231; rev:1;) alert tcp $HOME_NET any -> [72.142.102.143] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749228/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749228; rev:1;) alert tcp $HOME_NET any -> [82.165.218.73] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749229/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749229; rev:1;) alert tcp $HOME_NET any -> [188.40.151.67] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749226/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749226; rev:1;) alert tcp $HOME_NET any -> [198.199.73.41] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749227/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749227; rev:1;) alert tcp $HOME_NET any -> [84.17.45.180] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749223/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749223; rev:1;) alert tcp $HOME_NET any -> [24.144.90.215] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749224/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749224; rev:1;) alert tcp $HOME_NET any -> [147.93.185.25] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749225/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749225; rev:1;) alert tcp $HOME_NET any -> [95.216.212.8] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749221/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749221; rev:1;) alert tcp $HOME_NET any -> [45.94.31.220] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749222/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749222; rev:1;) alert tcp $HOME_NET any -> [54.215.58.48] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749219/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749219; rev:1;) alert tcp $HOME_NET any -> [43.206.141.201] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749220/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749220; rev:1;) alert tcp $HOME_NET any -> [4.201.220.7] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749218/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749218; rev:1;) alert tcp $HOME_NET any -> [111.228.4.54] 4455 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749217/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_16; classtype:trojan-activity; sid:91749217; rev:1;) alert tcp $HOME_NET any -> [38.76.193.175] 3451 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749216/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749216; rev:1;) alert tcp $HOME_NET any -> [38.76.193.175] 2451 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749215/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749215; rev:1;) alert tcp $HOME_NET any -> [38.76.193.175] 1451 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749214/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749214; rev:1;) alert tcp $HOME_NET any -> [47.246.13.113] 4506 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749203/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749203; rev:1;) alert tcp $HOME_NET any -> [38.60.242.200] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749202/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749202; rev:1;) alert tcp $HOME_NET any -> [34.232.174.173] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749200/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q4m8v.believein41fant.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749197/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749197; rev:1;) alert tcp $HOME_NET any -> [155.94.144.226] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749196/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m0d-rnflux.blu45modern.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749190/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"atelier.blu45modern.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749188/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749188; rev:1;) alert tcp $HOME_NET any -> [91.92.242.240] 1420 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749180/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"vrfimgjs.click"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749179/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"bssapi.click"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749181/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"alffsave.click"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749182/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"cdn-clodflare-fotns.click"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749184/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"captcha-cds.click"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749185/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"sccdnd-ltyles.click"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749187/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749187; rev:1;) alert tcp $HOME_NET any -> [142.91.102.119] 443 (msg:"ThreatFox VShell botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749183/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749183; rev:1;) alert tcp $HOME_NET any -> [45.92.1.138] 8041 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749178/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"relay.readmenownow838.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749177/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftp.corwineagles.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749176/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749176; rev:1;) alert tcp $HOME_NET any -> [35.94.59.248] 59298 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749175/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749175; rev:1;) alert tcp $HOME_NET any -> [15.216.6.223] 9490 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749174/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749174; rev:1;) alert tcp $HOME_NET any -> [88.210.13.135] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749173/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"158.94.209.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748900/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91748900; rev:1;) alert tcp $HOME_NET any -> [195.211.96.77] 2428 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748898/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91748898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user_profiles_photo/cptchbuild.bin"; depth:35; nocase; http.host; content:"94.154.35.115"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748896/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91748896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user_profiles_photo/chromelevator.bin"; depth:38; nocase; http.host; content:"94.154.35.115"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748897/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91748897; rev:1;) alert tcp $HOME_NET any -> [198.244.201.139] 5733 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748895/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91748895; rev:1;) alert tcp $HOME_NET any -> [45.243.236.40] 9898 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748929/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91748929; rev:1;) alert tcp $HOME_NET any -> [80.71.224.47] 4258 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748946/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91748946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"cdn-server.click"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749001/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"fonts-fontawesome.cfd"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749002/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fonts-fontawesome.cfd"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749003/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"winupdateconf.cfd"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749004/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"winupdateconf.cfd"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749005/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"winupdate.cfd"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749007/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"winupdate.cfd"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749006/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"sdn-cloudflare-js.cfd"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749008/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"cdn-clodflare-fotns.cfd"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749009/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn-clodflare-fotns.cfd"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749010/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"alffsave.click"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749011/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alffsave.click"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749012/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cdn-clodflare-fotns.click"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749013/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn-clodflare-fotns.click"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749014/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sccdnd-ltyles.click"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749015/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bssapi.click"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749018/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sccdnd-ltyles.click"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749016/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bssapi.click"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749017/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sdn-cloudflare-js-botstrup.click"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749021/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sdn-cloudflare-js-botstrup.click"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749022/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cdn2-server.click"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749023/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn2-server.click"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749024/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"str-smcontrcats.cfd"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749025/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"str-smcontrcats.cfd"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749026/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"restapiserv.click"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749028/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"restapiserv.click"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749029/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vrfimgjs.click"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749030/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vrfimgjs.click"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749031/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749031; rev:1;) alert tcp $HOME_NET any -> [37.221.66.75] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749040/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749040; rev:1;) alert tcp $HOME_NET any -> [8.162.0.105] 10438 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749057/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749057; rev:1;) alert tcp $HOME_NET any -> [87.106.142.201] 61543 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749068/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749068; rev:1;) alert tcp $HOME_NET any -> [87.106.142.201] 49376 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749069/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749069; rev:1;) alert tcp $HOME_NET any -> [184.170.142.38] 5552 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749108/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x7p9a.blu45modern.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749172/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749172; rev:1;) alert tcp $HOME_NET any -> [80.97.160.67] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749165/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749165; rev:1;) alert tcp $HOME_NET any -> [89.167.79.136] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749166/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749166; rev:1;) alert tcp $HOME_NET any -> [89.167.66.139] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749167/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749167; rev:1;) alert tcp $HOME_NET any -> [65.21.165.14] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749168/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749168; rev:1;) alert tcp $HOME_NET any -> [46.62.220.249] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749169/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749169; rev:1;) alert tcp $HOME_NET any -> [89.167.57.152] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749164/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"80.97.160.67"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749159/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"89.167.79.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749160/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"89.167.66.139"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749161/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.21.165.14"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749162/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.62.220.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749163/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"89.167.57.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749158/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cloud-m3.plum5parcel.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749156/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749156; rev:1;) alert tcp $HOME_NET any -> [167.88.36.97] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749155/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749155; rev:1;) alert tcp $HOME_NET any -> [38.60.242.200] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749154/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_16; classtype:trojan-activity; sid:91749154; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 37104 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749152/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749152; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749153/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"indianrecipes.ru.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749149/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pramodtoursandtravel.in.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749150/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.s666vn.fit"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749151/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jakeislame.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749142/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"evy2023website.nohasslebusiness.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749143/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"caldasservice.com.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749144/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"passer-elle.ch"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749145/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eps-estrich.picassomedia.de"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749146/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kaestner-partner.picassomedia.de"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749147/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dailynews25.world"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749148/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"euroconnectsolution.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749127/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"indianafoodpantry.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749128/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lreindia.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749129/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"epfindiauan.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749130/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"indianrailwayrecruitment.in"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749131/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trustedservicez.co.za"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749132/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"garanti-sans-virus.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749133/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"russellinternationalschools.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749134/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"calismaiznibasvurusu.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749135/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pauloeduardodemelo1744295722000.kbral.com.br"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749136/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ramyjuicy-109c437.ingress-haven.ewp.live"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749137/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"swissnoli.eu"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749138/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"visitassalt.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749139/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"elbassiounishop.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749140/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"250julie.nohassle.website"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749141/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"captioz.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749120/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"usajili.hamasagroup.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749121/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"usanovafoundation.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749122/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"furusato-shinshu.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749123/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"autodentrepairphilly.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749124/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"whm.beverlyhillmanor.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749125/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"euromoc.co.mz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749126/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_16; classtype:trojan-activity; sid:91749126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"internal-web-proxy.plum5parcel.coupons"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749118/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dl.plum5parcel.coupons"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749117/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749117; rev:1;) alert tcp $HOME_NET any -> [170.245.122.76] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749115/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zebuceta.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749116/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749116; rev:1;) alert tcp $HOME_NET any -> [103.7.60.82] 37104 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749113/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weddingrings.com.ph"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749114/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749114; rev:1;) alert tcp $HOME_NET any -> [103.7.60.82] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749112/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gate-07.orbit6crate.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749110/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749099/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749100/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749101/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749102/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749103/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749104/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749105/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749106/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749107/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"global-sync-srv.orbit6crate.coupons"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749098/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z57mkicfkuq44j6yrpu5finwvjllczkkp2uvdedsdonjztyd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749089/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z5ehshj6gzpetw5kso3onts6ty7wrnneya5u4aj3vzkeoaqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749090/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z5hwf6ywfuzipoa42tjlmal3x5suuccngsamsgklww2xgyqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749091/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z5ltrhzv46lsg447o3cx2637dloc3qt4ugd3gr2xdkkkeayd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749092/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z6choojah4ipvdpzzfzxxchjbecnmtn4povk6ifdvx2dpnid.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749093/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z6dqziutocr43onmvpth32njp4abfocfauk2belljjpobxyd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749094/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z6f3gu6rjvrysn5gjbsqj3hk3bvsg64ns6pjldqr2xhvhsyd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749095/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z6qinyhhmibvycu5kwmcvgrbpvtztkvvmdce5zwtucaeyrqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749096/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z6rzyojiye437jp744d4uwtff7aq7df7gh2jvwqtv525c4yd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749097/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749075/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z2mmiz3ryxafn5kapbvbbiywsxwovasfkgf5dqqp5kxlajad.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749076/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z2og4jlsmdy7dzty3g42eu3gh2sx2b6ywtvhrjtss7li4fyd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749077/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z355oalq4hiy5p7de64l6rsqutwlvydqje56uvevcc57r6qd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749078/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z36ynytxwjzuoao46ck7b3753gpedary3qvuizn3iczhe4id.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749079/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z37ntefjdbjextn6tmdkry4j546ejnru5cejeguitiopvhad.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749080/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z3azdoxdpqxzliszutufbc2fldagztdu47xyucp25p4xtqad.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749081/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z3ddvg5vuez2vznt73ljqgwx5tnuqaa2ye7lns742yiv2zyd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749082/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z3hv7ev5knxbrhsvv2mmu2rddwqizdz4vwfvxt5izrq6zqqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749083/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z3ujnkhxwahhjduh5me2updvzxewhhc5qvk2snxezoi5drad.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749084/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z4bsm63m3dagp5xglyacr4z4bwytkvkkwtn6enmuo5fi5iyd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749085/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z4k5zer5fbqi2vdq5sx2vuggatwyqvoodrkhubxftyrvncid.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749086/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z4ndl6thsct34yd47jrzdkpnfg3acfvpacuccb45pnars2ad.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749087/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lockbit7z55tuwaflw2c7torcryobdvhkcgvivhflyndyvcrexafssad.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749088/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"api.orbit6crate.coupons"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749073/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn-b12.nifty4locker.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749067/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749067; rev:1;) alert tcp $HOME_NET any -> [18.228.235.222] 2181 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749066/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749066; rev:1;) alert tcp $HOME_NET any -> [18.228.235.222] 81 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749065/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749065; rev:1;) alert tcp $HOME_NET any -> [64.89.163.98] 2403 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749064/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"secure-access-point.nifty4locker.coupons"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749061/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ws.nifty4locker.coupons"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749060/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mumrj4z.didns.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749055/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skamottl3.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749056/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749056; rev:1;) alert tcp $HOME_NET any -> [87.251.75.231] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749054/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749054; rev:1;) alert tcp $HOME_NET any -> [95.163.86.204] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749053/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749053; rev:1;) alert tcp $HOME_NET any -> [18.228.82.60] 13710 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749052/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749052; rev:1;) alert tcp $HOME_NET any -> [181.162.184.56] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749051/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749051; rev:1;) alert tcp $HOME_NET any -> [3.87.112.15] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749050/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749050; rev:1;) alert tcp $HOME_NET any -> [194.26.192.214] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749049/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_16; classtype:trojan-activity; sid:91749049; rev:1;) alert tcp $HOME_NET any -> [44.249.87.241] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749048/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_16; classtype:trojan-activity; sid:91749048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"node-v99.amber9stash.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749047/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3dc541941cdc4a25.php"; depth:21; nocase; http.host; content:"176.65.144.88"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749045/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"data-flow-central.amber9stash.coupons"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749039/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749039; rev:1;) alert tcp $HOME_NET any -> [192.159.99.107] 42069 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749038/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s3.amber9stash.coupons"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1749037/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749037; rev:1;) alert tcp $HOME_NET any -> [3.139.237.36] 8008 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749035/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749035; rev:1;) alert tcp $HOME_NET any -> [102.117.166.65] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749034/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749034; rev:1;) alert tcp $HOME_NET any -> [144.124.242.84] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749033/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749033; rev:1;) alert tcp $HOME_NET any -> [185.243.241.94] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749032/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_16; classtype:trojan-activity; sid:91749032; rev:1;) alert tcp $HOME_NET any -> [45.154.98.174] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1749027/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91749027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"antivirusscan.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1749000/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91749000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"sdn-cloudflare-js-botstrup.cfd"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748999/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sdn-cloudflare-js-botstrup.cfd"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748998/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sdn-cloudflare-js-botstrup.cfd"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748997/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bootstrap-css-framework.cfd"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748996/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bootstrap-css-framework.cfd"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748995/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748995; rev:1;) alert tcp $HOME_NET any -> [93.127.133.9] 18661 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748993/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748993; rev:1;) alert tcp $HOME_NET any -> [93.127.133.9] 20856 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748994/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftp.henfruit.ro"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748992/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"antivirusscan.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748991/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"antivirusscan.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748990/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"majin-54074.portmap.host"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748988/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.bet88hs.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748986/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.bet88hs.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748987/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bet88hs.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748985/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748985; rev:1;) alert tcp $HOME_NET any -> [124.223.213.250] 18443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748984/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2.cloud-safe.cfd"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748983/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"2.cloud-safe.cfd"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748982/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1.cloud-safe.cfd"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748981/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"1.cloud-safe.cfd"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748980/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wptest.click"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748979/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wptest.click"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748978/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748978; rev:1;) alert tcp $HOME_NET any -> [23.94.99.174] 4000 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748975/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748975; rev:1;) alert tcp $HOME_NET any -> [23.94.99.174] 4036 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748976/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748976; rev:1;) alert tcp $HOME_NET any -> [23.94.99.174] 4017 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748977/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"endlessgrumbler.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748974/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"puump.live"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748973/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"puump.live"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748971/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748971; rev:1;) alert tcp $HOME_NET any -> [18.142.177.189] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748972/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"img-cdn-cloud.cfd"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748970/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"img-cdn-cloud.cfd"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748969/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn-303-web.flash5saver.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748968/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"captcha-cds.click"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748966/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"captcha-cds.click"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748965/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"captcha-cds.cfd"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748964/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"captcha-cds.cfd"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748963/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"update-system-srv.flash5saver.coupons"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748961/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nascdn-js.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748960/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nascdn-js.life"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748959/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dev.flash5saver.coupons"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748958/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn-server-styles.cfd"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748957/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cdn-server-styles.cfd"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748956/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"primedatahost1.lol"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748953/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"primedatahost2.lol"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748954/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"primedatahost3.lol"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748955/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"primedatahost4.lol"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748952/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2fa-cp.cfd"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748951/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tri2s-sh7es.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748950/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"2fa-cp.cfd"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748949/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"styles-get-img.cfd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748948/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"styles-get-img.cfd"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748947/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cloud-safe.cfd"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748945/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cloud-safe.cfd"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748944/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mndivorcemediator.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748943/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dev-js-cdn.cfd"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748942/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dev-js-cdn.cfd"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748941/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn-sss.click"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748940/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cdn-sss.click"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748939/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sdn-cloudflare-js.click"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748937/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sdn-cloudflare-js.click"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748936/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m-link.bonus3basket.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748935/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"global-site-check.bonus3basket.coupons"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748933/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e3ys4ixz.mint2layer.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748932/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7yj72fkc.mint2layer.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748931/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ns1.bonus3basket.coupons"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748930/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rpc-framework-check.cfd"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748928/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rpc-framework-check.cfd"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748927/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cloud-safe.click"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748926/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cloud-safe.click"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748925/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rpc-framework-check.click"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748924/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rpc-framework-check.click"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748923/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn-server.click"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748922/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cdn-server.click"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748921/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn-server-styles.click"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748920/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cdn-server-styles.click"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748919/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nascdn-js.click"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748918/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nascdn-js.click"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748917/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn-js-conhost.click"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748916/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cdn-js-conhost.click"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748915/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"img-cdn-cloud.click"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748914/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"img-cdn-cloud.click"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748913/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sdn-cloudflare-js-css.click"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748912/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sdn-cloudflare-js-css.click"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748911/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2fa-cp.click"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748910/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"2fa-cp.click"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748909/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"poygon-notifications.click"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748908/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"poygon-notifications.click"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748907/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"poygon-notifications.cfd"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748906/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"poygon-notifications.cfd"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748905/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cloud-st1.perk9parcel.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748904/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"direct-web-client.perk9parcel.coupons"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748901/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748901; rev:1;) alert tcp $HOME_NET any -> [160.178.228.128] 2222 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748892/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748892; rev:1;) alert tcp $HOME_NET any -> [13.38.84.114] 50001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748893/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748893; rev:1;) alert tcp $HOME_NET any -> [13.38.84.114] 101 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748894/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748894; rev:1;) alert tcp $HOME_NET any -> [217.216.48.9] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748891/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"app.perk9parcel.coupons"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748890/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748890; rev:1;) alert tcp $HOME_NET any -> [46.225.136.75] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748879/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748879; rev:1;) alert tcp $HOME_NET any -> [83.228.229.195] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748880/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748880; rev:1;) alert tcp $HOME_NET any -> [88.198.214.231] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748881/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748881; rev:1;) alert tcp $HOME_NET any -> [83.228.225.9] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748882/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748882; rev:1;) alert tcp $HOME_NET any -> [74.0.48.157] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748883/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748883; rev:1;) alert tcp $HOME_NET any -> [46.225.67.21] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748884/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748884; rev:1;) alert tcp $HOME_NET any -> [83.147.192.235] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748885/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748885; rev:1;) alert tcp $HOME_NET any -> [77.42.49.64] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748886/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748886; rev:1;) alert tcp $HOME_NET any -> [65.21.165.10] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748864/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748864; rev:1;) alert tcp $HOME_NET any -> [74.0.48.100] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748865/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748865; rev:1;) alert tcp $HOME_NET any -> [65.21.165.11] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748866/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748866; rev:1;) alert tcp $HOME_NET any -> [46.225.86.191] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748867/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748867; rev:1;) alert tcp $HOME_NET any -> [80.97.160.10] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748868/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748868; rev:1;) alert tcp $HOME_NET any -> [91.98.229.254] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748869/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748869; rev:1;) alert tcp $HOME_NET any -> [46.62.197.200] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748870/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748870; rev:1;) alert tcp $HOME_NET any -> [46.225.118.134] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748871/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748871; rev:1;) alert tcp $HOME_NET any -> [65.21.165.9] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748872/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748872; rev:1;) alert tcp $HOME_NET any -> [65.21.165.12] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748873/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748873; rev:1;) alert tcp $HOME_NET any -> [77.42.49.65] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748874/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748874; rev:1;) alert tcp $HOME_NET any -> [65.21.165.8] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748875/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748875; rev:1;) alert tcp $HOME_NET any -> [80.97.160.103] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748876/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748876; rev:1;) alert tcp $HOME_NET any -> [65.21.165.13] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748877/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748877; rev:1;) alert tcp $HOME_NET any -> [46.224.213.150] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748878/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gbo.gadgetwalabd.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748856/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hil.gadgetwalabd.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748857/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gor.gadgetwalabd.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748858/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gbo.alpinematters.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748859/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hil.alpinematters.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748860/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gor.alpinematters.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748861/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jvz.gadgetwalabd.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748862/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jvz.alpinematters.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748863/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"83.147.192.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748853/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"77.42.49.64"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748854/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"77.42.49.63"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748855/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.21.165.13"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748845/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.224.213.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748846/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.225.136.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748847/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"83.228.229.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748848/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.214.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748849/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"83.228.225.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748850/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.48.157"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748851/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.225.67.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748852/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.62.197.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748838/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.225.118.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748839/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.21.165.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748840/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.21.165.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748841/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"77.42.49.65"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748842/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.21.165.8"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748843/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"80.97.160.103"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748844/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"jvz.gadgetwalabd.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748830/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"jvz.alpinematters.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748831/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"217.156.66.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748832/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.21.165.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748833/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.21.165.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748834/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.225.86.191"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748835/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"80.97.160.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748836/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.98.229.254"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748837/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199872628623"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748822/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b0nn1r"; depth:7; nocase; http.host; content:"telegram.me"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748823/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gbo.gadgetwalabd.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748824/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hil.gadgetwalabd.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748825/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gor.gadgetwalabd.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748826/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gbo.alpinematters.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748827/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hil.alpinematters.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748828/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gor.alpinematters.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748829/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561198736378968"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748821/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"beta-node.deal4harbor.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748819/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"remote-access-v1.deal4harbor.coupons"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748817/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748817; rev:1;) alert tcp $HOME_NET any -> [85.137.252.166] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748764/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748764; rev:1;) alert tcp $HOME_NET any -> [135.136.1.134] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748765/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748765; rev:1;) alert tcp $HOME_NET any -> [67.217.228.145] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748766/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748766; rev:1;) alert tcp $HOME_NET any -> [176.65.144.87] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748767/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748767; rev:1;) alert tcp $HOME_NET any -> [98.142.251.94] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748768/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748768; rev:1;) alert tcp $HOME_NET any -> [194.33.61.151] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748769/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748769; rev:1;) alert tcp $HOME_NET any -> [199.91.220.41] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748771/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748771; rev:1;) alert tcp $HOME_NET any -> [185.156.108.230] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748770/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748770; rev:1;) alert tcp $HOME_NET any -> [196.251.107.145] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748772/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748772; rev:1;) alert tcp $HOME_NET any -> [193.221.200.176] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748773/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748773; rev:1;) alert tcp $HOME_NET any -> [185.143.228.226] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748774/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748774; rev:1;) alert tcp $HOME_NET any -> [144.31.221.193] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748775/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748775; rev:1;) alert tcp $HOME_NET any -> [212.224.86.227] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748776/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748776; rev:1;) alert tcp $HOME_NET any -> [178.16.52.110] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748777/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748777; rev:1;) alert tcp $HOME_NET any -> [187.77.19.50] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748778/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748778; rev:1;) alert tcp $HOME_NET any -> [45.243.236.40] 55555 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748803/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748803; rev:1;) alert tcp $HOME_NET any -> [8.148.24.19] 11601 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748816/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"37.tcp.cpolar.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748815/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748815; rev:1;) alert tcp $HOME_NET any -> [5.89.184.32] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748814/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ws.deal4harbor.coupons"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748813/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"edge-cache2.perkparcel.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748812/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748812; rev:1;) alert tcp $HOME_NET any -> [8.216.4.133] 449 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748811/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748811; rev:1;) alert tcp $HOME_NET any -> [213.165.60.3] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748810/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748810; rev:1;) alert tcp $HOME_NET any -> [165.245.130.101] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748809/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"internal-promo-zone.perkparcel.coupons"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748808/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"go.perkparcel.coupons"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748806/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"srv-90.dealharbor.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748805/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fqq121qq-33728.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748802/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748802; rev:1;) alert tcp $HOME_NET any -> [91.2.78.10] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748800/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748800; rev:1;) alert tcp $HOME_NET any -> [91.2.78.10] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748801/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748801; rev:1;) alert tcp $HOME_NET any -> [91.2.78.10] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748799/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tri.eu.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748798/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sun-win.us.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748796/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"analytics.uk.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748797/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unnleashed.uk.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748794/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gallerydept.us.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748795/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xdm111-37027.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748793/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748793; rev:1;) alert tcp $HOME_NET any -> [68.183.43.201] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748792/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748792; rev:1;) alert tcp $HOME_NET any -> [161.35.142.15] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748790/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748790; rev:1;) alert tcp $HOME_NET any -> [165.22.172.3] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748791/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748791; rev:1;) alert tcp $HOME_NET any -> [178.128.255.229] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748789/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748789; rev:1;) alert tcp $HOME_NET any -> [64.225.112.27] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748788/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748788; rev:1;) alert tcp $HOME_NET any -> [143.198.0.84] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748787/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748787; rev:1;) alert tcp $HOME_NET any -> [159.89.86.112] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748786/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748786; rev:1;) alert tcp $HOME_NET any -> [157.230.239.236] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748785/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748785; rev:1;) alert tcp $HOME_NET any -> [157.245.71.98] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748784/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748784; rev:1;) alert tcp $HOME_NET any -> [161.35.135.235] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748783/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fast-track-delivery.dealharbor.coupons"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748782/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"api.dealharbor.coupons"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748780/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"user-node4.mintvoucher.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748779/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"secure-gateway-app.mintvoucher.coupons"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748763/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn.mintvoucher.coupons"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748762/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"auth88.snapbargain.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748760/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"static-data-srv.snapbargain.coupons"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748759/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748759; rev:1;) alert tcp $HOME_NET any -> [103.177.46.47] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748757/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748757; rev:1;) alert tcp $HOME_NET any -> [56.155.26.20] 57722 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748756/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748756; rev:1;) alert tcp $HOME_NET any -> [43.199.155.40] 44241 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748753/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748753; rev:1;) alert tcp $HOME_NET any -> [18.223.170.132] 8557 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748754/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748754; rev:1;) alert tcp $HOME_NET any -> [56.155.26.20] 22322 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748755/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748755; rev:1;) alert tcp $HOME_NET any -> [43.199.155.40] 591 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748751/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748751; rev:1;) alert tcp $HOME_NET any -> [43.199.155.40] 4841 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748752/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748752; rev:1;) alert tcp $HOME_NET any -> [45.77.102.173] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748750/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v5.snapbargain.coupons"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748749/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fus10n-vvex.fusion2harbor.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748748/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"formula.fusion2harbor.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748747/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r2k6d.fusion2harbor.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748746/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748746; rev:1;) alert tcp $HOME_NET any -> [114.66.33.207] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748745/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748745; rev:1;) alert tcp $HOME_NET any -> [27.102.137.81] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748744/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qa7sawuw.wildframe41.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748743/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uon8hnbd.wildframe41.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748742/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shad0vv-rnix.shadow6nectar.coupons"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748741/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748741; rev:1;) alert tcp $HOME_NET any -> [13.200.54.243] 11343 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748656/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748656; rev:1;) alert tcp $HOME_NET any -> [70.162.0.237] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748660/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin.php"; depth:10; nocase; http.host; content:"goyslopjewbag.icu"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748661/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inactivesophisticatedsolutions101.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748706/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jesstheromantic.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748707/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748707; rev:1;) alert tcp $HOME_NET any -> [94.252.226.42] 40500 (msg:"ThreatFox Phorpiex botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748719/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748719; rev:1;) alert tcp $HOME_NET any -> [176.194.145.85] 40500 (msg:"ThreatFox Phorpiex botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748720/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748720; rev:1;) alert tcp $HOME_NET any -> [80.253.190.161] 40500 (msg:"ThreatFox Phorpiex botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748721/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748721; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 13795 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748727/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"unaideg.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748739/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"withsuj.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748740/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oracle.shadow6nectar.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748738/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p8x1m.shadow6nectar.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748737/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"br33ze-llnk.breeze1falcon.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748735/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glacier.breeze1falcon.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748734/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c9t5q.breeze1falcon.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748733/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k15kqv93.fluxdrive.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748732/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hix7q90u.fluxdrive.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748731/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748731; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 32265 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748729/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rnatr1x-vvay.matrix8piano.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748726/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"signal.matrix8piano.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748723/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z3n7a.matrix8piano.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748722/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748722; rev:1;) alert tcp $HOME_NET any -> [120.231.9.225] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748717/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748717; rev:1;) alert tcp $HOME_NET any -> [120.231.9.225] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748718/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748718; rev:1;) alert tcp $HOME_NET any -> [120.231.9.225] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748716/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748716; rev:1;) alert tcp $HOME_NET any -> [108.242.221.141] 443 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748715/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748715; rev:1;) alert tcp $HOME_NET any -> [18.229.140.33] 26037 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748713/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748713; rev:1;) alert tcp $HOME_NET any -> [18.185.248.184] 52068 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748714/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748714; rev:1;) alert tcp $HOME_NET any -> [18.236.86.123] 19999 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748712/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748712; rev:1;) alert tcp $HOME_NET any -> [134.199.185.50] 4444 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748711/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748711; rev:1;) alert tcp $HOME_NET any -> [77.81.139.66] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748710/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748710; rev:1;) alert tcp $HOME_NET any -> [119.91.54.176] 50001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748709/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jung1e-rnate.jungle9orbit.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748708/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"outpost.jungle9orbit.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748705/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m9r3p.jungle9orbit.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748704/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dawdawf-32460.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748703/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748703; rev:1;) alert tcp $HOME_NET any -> [165.154.54.45] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748702/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748702; rev:1;) alert tcp $HOME_NET any -> [45.88.137.42] 25565 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748701/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748701; rev:1;) alert tcp $HOME_NET any -> [172.160.225.152] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748700/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748700; rev:1;) alert tcp $HOME_NET any -> [172.160.225.152] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748699/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"y2mate.it.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748698/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecqiea.ru.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748697/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"arnb3r-0rb.amber2vivid.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748696/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748696; rev:1;) alert tcp $HOME_NET any -> [23.247.130.245] 8085 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748695/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cascade.amber2vivid.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748693/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t6k2n.amber2vivid.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748691/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"procelo.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748688/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"undimik.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748689/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"upbeata.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748690/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"currane.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748684/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drawnbe.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748685/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malaysa.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748686/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"penmank.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748687/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"interti.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748678/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kipeety.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748679/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"revqhuu.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748680/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tothelo.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748681/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ziziphe.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748682/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conneci.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748683/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ciliate.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748677/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"octopox.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748676/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a2aagentive.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748675/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vcopp.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748674/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pearpops.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748673/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zaffersnouty.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748672/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fusser-api.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748671/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plantcenters.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748670/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"customwrapsnearme.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748669/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kayeart.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748668/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r0cket-rnix.rocket7flora.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748667/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coloradospringsfences.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748664/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cocinadecor.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748665/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iowainsurancegroup.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748666/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ontarioqualitycedar.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748663/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lantern.rocket7flora.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748662/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q4m8v.rocket7flora.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748659/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748659; rev:1;) alert tcp $HOME_NET any -> [45.112.194.82] 9999 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748658/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nebula-vv1ng.nebula4tango.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748657/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"harvest.nebula4tango.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748654/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748654; rev:1;) alert tcp $HOME_NET any -> [18.229.140.33] 587 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748653/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748653; rev:1;) alert tcp $HOME_NET any -> [103.177.46.98] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748652/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748652; rev:1;) alert tcp $HOME_NET any -> [103.177.46.115] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748651/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748651; rev:1;) alert tcp $HOME_NET any -> [159.198.40.121] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748650/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748650; rev:1;) alert tcp $HOME_NET any -> [148.113.55.164] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748649/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x7p9a.nebula4tango.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748648/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"benefitsonlineportal.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748262/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"editorr.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748263/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"backsan.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748264/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748264; rev:1;) alert tcp $HOME_NET any -> [147.185.221.31] 3004 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748265/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hanano-63144.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748276/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helpmeporkogpeimeoptimize.dynuddns.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748277/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748277; rev:1;) alert tcp $HOME_NET any -> [79.139.173.100] 7822 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748278/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8507720456:aaepnovgcyydxm2d0jemo6am4qpyh0fi2x0/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748279/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot8232514058:aaecwvt9fizcz81ikw8kyznobvgjujjblg0/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748280/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gramskate.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748282/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ynhasmi-46863.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748283/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gramskate.camdvr.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748284/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"remcos5050.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748286/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"192.30.242.54"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1748287/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.244.70.130"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1748288/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.169.12.176"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1748289/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.34.196"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1748290/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748290; rev:1;) alert tcp $HOME_NET any -> [39.109.116.99] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748291/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748291; rev:1;) alert tcp $HOME_NET any -> [202.61.160.203] 10088 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748292/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748292; rev:1;) alert tcp $HOME_NET any -> [8.219.177.83] 1010 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748293/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748293; rev:1;) alert tcp $HOME_NET any -> [192.229.116.171] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748294/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748294; rev:1;) alert tcp $HOME_NET any -> [192.229.116.171] 444 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748295/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748295; rev:1;) alert tcp $HOME_NET any -> [125.208.23.7] 433 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748296/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748296; rev:1;) alert tcp $HOME_NET any -> [143.20.185.59] 15154 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748311/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748311; rev:1;) alert tcp $HOME_NET any -> [23.146.184.77] 7002 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748321/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748321; rev:1;) alert tcp $HOME_NET any -> [198.244.201.139] 4834 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748322/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748322; rev:1;) alert tcp $HOME_NET any -> [188.214.30.136] 6621 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748331/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748331; rev:1;) alert tcp $HOME_NET any -> [193.26.115.189] 4000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748332/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748332; rev:1;) alert tcp $HOME_NET any -> [161.35.110.36] 48330 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748335/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748335; rev:1;) alert tcp $HOME_NET any -> [45.83.207.188] 2310 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748336/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748336; rev:1;) alert tcp $HOME_NET any -> [8.148.76.192] 12182 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748341/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748341; rev:1;) alert tcp $HOME_NET any -> [109.122.18.53] 7788 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748345/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748345; rev:1;) alert tcp $HOME_NET any -> [94.103.84.143] 9050 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748359/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.eztechnj.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748373/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748373; rev:1;) alert tcp $HOME_NET any -> [176.65.139.18] 6001 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748374/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748374; rev:1;) alert tcp $HOME_NET any -> [198.244.201.139] 4886 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748377/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748377; rev:1;) alert tcp $HOME_NET any -> [70.39.197.162] 1080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748646/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748646; rev:1;) alert tcp $HOME_NET any -> [130.12.180.55] 6621 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748378/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748378; rev:1;) alert tcp $HOME_NET any -> [111.123.41.235] 4444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748634/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748634; rev:1;) alert tcp $HOME_NET any -> [106.53.160.33] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748645/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748645; rev:1;) alert tcp $HOME_NET any -> [8.148.194.157] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748644/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackbearer.za.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748643/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748643; rev:1;) alert tcp $HOME_NET any -> [176.65.139.17] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748642/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748642; rev:1;) alert tcp $HOME_NET any -> [181.161.20.233] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748641/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748641; rev:1;) alert tcp $HOME_NET any -> [197.147.230.202] 5000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748640/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cityforum.sa.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748638/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"roninhk.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748639/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"internal-promo-link.federleicht.coupons"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748637/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b3-alpha.federleicht.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748636/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"direct-gateway-77.vifespoir.coupons"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748635/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tracking.vifespoir.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748633/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ziziphe.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748632/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748632; rev:1;) alert tcp $HOME_NET any -> [128.0.0.1] 7004 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748630/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748630; rev:1;) alert tcp $HOME_NET any -> [129.0.0.1] 7004 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748631/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"go.stillesee.coupons"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748628/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748628; rev:1;) alert tcp $HOME_NET any -> [13.230.146.162] 44819 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748627/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748627; rev:1;) alert tcp $HOME_NET any -> [107.182.173.138] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748626/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748626; rev:1;) alert tcp $HOME_NET any -> [101.132.167.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748625/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748625; rev:1;) alert tcp $HOME_NET any -> [72.62.119.168] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748624/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748624; rev:1;) alert tcp $HOME_NET any -> [120.192.67.135] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748623/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748623; rev:1;) alert tcp $HOME_NET any -> [156.234.94.199] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748620/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748620; rev:1;) alert tcp $HOME_NET any -> [156.234.94.214] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748621/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748621; rev:1;) alert tcp $HOME_NET any -> [43.249.175.67] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748622/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748622; rev:1;) alert tcp $HOME_NET any -> [23.235.179.116] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748617/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748617; rev:1;) alert tcp $HOME_NET any -> [156.234.247.107] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748618/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748618; rev:1;) alert tcp $HOME_NET any -> [43.243.191.251] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748619/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748619; rev:1;) alert tcp $HOME_NET any -> [23.226.58.251] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748614/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748614; rev:1;) alert tcp $HOME_NET any -> [23.235.179.109] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748615/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748615; rev:1;) alert tcp $HOME_NET any -> [156.234.94.222] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748616/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748616; rev:1;) alert tcp $HOME_NET any -> [43.249.175.83] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748613/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748613; rev:1;) alert tcp $HOME_NET any -> [23.226.58.247] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748610/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748610; rev:1;) alert tcp $HOME_NET any -> [103.37.2.11] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748611/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748611; rev:1;) alert tcp $HOME_NET any -> [156.234.247.100] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748612/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748612; rev:1;) alert tcp $HOME_NET any -> [43.243.191.233] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748608/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748608; rev:1;) alert tcp $HOME_NET any -> [156.234.247.112] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748609/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748609; rev:1;) alert tcp $HOME_NET any -> [23.235.179.119] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748606/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748606; rev:1;) alert tcp $HOME_NET any -> [23.235.179.97] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748607/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748607; rev:1;) alert tcp $HOME_NET any -> [103.37.2.23] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748604/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748604; rev:1;) alert tcp $HOME_NET any -> [23.235.179.121] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748605/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748605; rev:1;) alert tcp $HOME_NET any -> [43.249.175.68] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748602/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748602; rev:1;) alert tcp $HOME_NET any -> [23.235.182.108] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748603/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748603; rev:1;) alert tcp $HOME_NET any -> [156.234.94.208] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748601/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748601; rev:1;) alert tcp $HOME_NET any -> [23.235.179.110] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748600/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748600; rev:1;) alert tcp $HOME_NET any -> [43.243.191.230] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748599/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748599; rev:1;) alert tcp $HOME_NET any -> [43.243.191.227] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748598/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748598; rev:1;) alert tcp $HOME_NET any -> [156.234.247.116] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748597/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748597; rev:1;) alert tcp $HOME_NET any -> [23.226.58.240] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748596/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748596; rev:1;) alert tcp $HOME_NET any -> [23.235.182.100] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748595/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748595; rev:1;) alert tcp $HOME_NET any -> [43.243.191.232] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748594/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748594; rev:1;) alert tcp $HOME_NET any -> [23.235.182.124] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748593/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748593; rev:1;) alert tcp $HOME_NET any -> [156.234.247.103] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748592/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748592; rev:1;) alert tcp $HOME_NET any -> [43.249.175.87] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748588/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748588; rev:1;) alert tcp $HOME_NET any -> [23.226.58.245] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748589/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748589; rev:1;) alert tcp $HOME_NET any -> [156.234.247.118] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748590/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748590; rev:1;) alert tcp $HOME_NET any -> [156.234.247.110] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748591/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748591; rev:1;) alert tcp $HOME_NET any -> [23.235.182.125] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748586/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748586; rev:1;) alert tcp $HOME_NET any -> [156.234.247.109] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748587/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748587; rev:1;) alert tcp $HOME_NET any -> [23.235.179.113] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748582/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748582; rev:1;) alert tcp $HOME_NET any -> [156.234.94.209] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748583/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748583; rev:1;) alert tcp $HOME_NET any -> [43.249.175.82] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748584/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748584; rev:1;) alert tcp $HOME_NET any -> [43.249.175.89] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748585/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748585; rev:1;) alert tcp $HOME_NET any -> [103.37.2.10] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748578/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748578; rev:1;) alert tcp $HOME_NET any -> [23.235.182.104] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748579/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748579; rev:1;) alert tcp $HOME_NET any -> [156.234.247.121] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748580/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748580; rev:1;) alert tcp $HOME_NET any -> [156.234.247.126] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748581/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748581; rev:1;) alert tcp $HOME_NET any -> [43.249.175.91] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748576/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748576; rev:1;) alert tcp $HOME_NET any -> [156.234.94.211] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748577/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748577; rev:1;) alert tcp $HOME_NET any -> [156.234.247.124] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748573/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748573; rev:1;) alert tcp $HOME_NET any -> [43.243.191.245] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748574/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748574; rev:1;) alert tcp $HOME_NET any -> [156.234.247.122] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748575/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748575; rev:1;) alert tcp $HOME_NET any -> [103.37.2.4] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748571/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748571; rev:1;) alert tcp $HOME_NET any -> [43.249.175.71] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748572/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748572; rev:1;) alert tcp $HOME_NET any -> [43.243.191.247] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748569/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748569; rev:1;) alert tcp $HOME_NET any -> [23.226.58.243] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748570/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748570; rev:1;) alert tcp $HOME_NET any -> [23.235.179.98] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748566/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748566; rev:1;) alert tcp $HOME_NET any -> [23.235.179.114] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748567/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748567; rev:1;) alert tcp $HOME_NET any -> [156.234.247.98] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748568/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748568; rev:1;) alert tcp $HOME_NET any -> [23.235.179.106] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748563/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748563; rev:1;) alert tcp $HOME_NET any -> [23.235.182.110] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748564/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748564; rev:1;) alert tcp $HOME_NET any -> [156.234.94.205] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748565/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748565; rev:1;) alert tcp $HOME_NET any -> [43.249.175.80] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748561/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748561; rev:1;) alert tcp $HOME_NET any -> [43.249.175.78] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748562/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748562; rev:1;) alert tcp $HOME_NET any -> [156.234.247.119] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748558/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748558; rev:1;) alert tcp $HOME_NET any -> [43.243.191.229] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748559/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748559; rev:1;) alert tcp $HOME_NET any -> [43.243.191.252] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748560/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748560; rev:1;) alert tcp $HOME_NET any -> [156.234.94.194] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748556/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748556; rev:1;) alert tcp $HOME_NET any -> [23.226.58.248] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748557/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748557; rev:1;) alert tcp $HOME_NET any -> [156.234.94.202] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748554/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748554; rev:1;) alert tcp $HOME_NET any -> [43.249.175.90] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748555/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748555; rev:1;) alert tcp $HOME_NET any -> [103.37.2.14] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748552/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748552; rev:1;) alert tcp $HOME_NET any -> [43.249.175.85] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748553/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748553; rev:1;) alert tcp $HOME_NET any -> [156.234.247.117] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748549/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748549; rev:1;) alert tcp $HOME_NET any -> [156.234.94.203] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748550/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748550; rev:1;) alert tcp $HOME_NET any -> [23.226.58.226] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748551/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748551; rev:1;) alert tcp $HOME_NET any -> [23.235.182.98] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748547/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748547; rev:1;) alert tcp $HOME_NET any -> [23.235.179.120] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748548/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748548; rev:1;) alert tcp $HOME_NET any -> [23.235.182.107] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748545/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748545; rev:1;) alert tcp $HOME_NET any -> [23.235.182.123] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748546/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748546; rev:1;) alert tcp $HOME_NET any -> [103.37.2.18] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748543/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748543; rev:1;) alert tcp $HOME_NET any -> [156.234.94.217] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748544/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748544; rev:1;) alert tcp $HOME_NET any -> [43.249.175.65] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748541/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748541; rev:1;) alert tcp $HOME_NET any -> [23.235.179.103] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748542/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748542; rev:1;) alert tcp $HOME_NET any -> [43.243.191.244] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748539/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748539; rev:1;) alert tcp $HOME_NET any -> [43.249.175.88] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748540/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748540; rev:1;) alert tcp $HOME_NET any -> [23.235.182.114] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748538/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748538; rev:1;) alert tcp $HOME_NET any -> [103.37.2.19] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748537/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748537; rev:1;) alert tcp $HOME_NET any -> [43.249.175.69] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748536/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"static-assets-srv.stillesee.coupons"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748535/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748535; rev:1;) alert tcp $HOME_NET any -> [23.226.58.225] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748534/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_15; classtype:trojan-activity; sid:91748534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quick-verify.terrepure.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748379/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"app.terrepure.coupons"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748372/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"de-partner-node.mondlicht.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748370/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn7.mondlicht.coupons"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748369/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748369; rev:1;) alert tcp $HOME_NET any -> [107.174.53.198] 4444 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748368/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748368; rev:1;) alert tcp $HOME_NET any -> [185.141.216.8] 4321 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748367/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748367; rev:1;) alert tcp $HOME_NET any -> [130.12.180.55] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748366/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748366; rev:1;) alert tcp $HOME_NET any -> [62.60.148.99] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748365/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748365; rev:1;) alert tcp $HOME_NET any -> [16.58.237.124] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748364/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748364; rev:1;) alert tcp $HOME_NET any -> [23.235.179.126] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748363/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748363; rev:1;) alert tcp $HOME_NET any -> [156.234.94.200] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748362/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748362; rev:1;) alert tcp $HOME_NET any -> [23.226.58.252] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748361/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_15; classtype:trojan-activity; sid:91748361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.31.139.187"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1748360/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"secure-login-area.cielsombre.coupons"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748358/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v3.cielsombre.coupons"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748357/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fssop-77-91-148-5.a.free.pinggy.link"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748355/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cptoptious.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748354/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748354; rev:1;) alert tcp $HOME_NET any -> [45.142.44.125] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748353/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748353; rev:1;) alert tcp $HOME_NET any -> [135.125.188.227] 5090 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748352/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.xoilaciu.tv"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748351/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748351; rev:1;) alert tcp $HOME_NET any -> [18.142.177.189] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748350/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748350; rev:1;) alert tcp $HOME_NET any -> [103.37.2.20] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748348/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748348; rev:1;) alert tcp $HOME_NET any -> [69.148.168.199] 25565 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748349/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748349; rev:1;) alert tcp $HOME_NET any -> [23.235.179.125] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748347/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748347; rev:1;) alert tcp $HOME_NET any -> [103.37.2.25] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748346/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7wgxbccc.cyberlane.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748344/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cqebzhel.cyberlane.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748343/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p1ea-rnask.plea36slavneck.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748342/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lantern.plea36slavneck.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748339/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r2k6d.plea36slavneck.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748334/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748334; rev:1;) alert tcp $HOME_NET any -> [199.101.111.99] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748329/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748329; rev:1;) alert tcp $HOME_NET any -> [103.177.46.26] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748328/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748328; rev:1;) alert tcp $HOME_NET any -> [134.199.219.201] 4444 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748327/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748327; rev:1;) alert tcp $HOME_NET any -> [95.85.244.160] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748326/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748326; rev:1;) alert tcp $HOME_NET any -> [43.243.191.254] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748325/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748325; rev:1;) alert tcp $HOME_NET any -> [62.164.177.230] 80 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748324/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gologpoint.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748323/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748323; rev:1;) alert tcp $HOME_NET any -> [91.89.111.120] 6000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748319/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748319; rev:1;) alert tcp $HOME_NET any -> [119.167.205.169] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748317/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748317; rev:1;) alert tcp $HOME_NET any -> [217.91.52.249] 2404 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748316/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748316; rev:1;) alert tcp $HOME_NET any -> [156.234.94.218] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748315/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748315; rev:1;) alert tcp $HOME_NET any -> [27.221.15.199] 4506 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748314/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748314; rev:1;) alert tcp $HOME_NET any -> [165.245.130.101] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748313/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748313; rev:1;) alert tcp $HOME_NET any -> [107.172.31.101] 8891 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748312/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748312; rev:1;) alert tcp $HOME_NET any -> [38.76.193.175] 7777 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748309/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748309; rev:1;) alert tcp $HOME_NET any -> [38.76.193.175] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748308/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748308; rev:1;) alert tcp $HOME_NET any -> [38.76.193.175] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748307/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hoathinh3d.la"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748306/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gomabkiruna.ru.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748305/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h0m0-vvex.homo483geneous.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748304/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"artifact.homo483geneous.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748303/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p8x1m.homo483geneous.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748302/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k0zhev-rnix.kozhevnik6lan.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748301/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glacier.kozhevnik6lan.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748300/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748300; rev:1;) alert tcp $HOME_NET any -> [199.101.111.135] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748299/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748299; rev:1;) alert tcp $HOME_NET any -> [150.109.63.68] 64443 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748298/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748298; rev:1;) alert tcp $HOME_NET any -> [105.68.228.221] 80 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748297/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748297; rev:1;) alert tcp $HOME_NET any -> [102.98.205.122] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748285/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748285; rev:1;) alert tcp $HOME_NET any -> [69.167.10.162] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748281/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748281; rev:1;) alert tcp $HOME_NET any -> [46.151.28.66] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748274/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748274; rev:1;) alert tcp $HOME_NET any -> [45.88.186.230] 1000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748261/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748261; rev:1;) alert tcp $HOME_NET any -> [23.226.52.148] 27981 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748260/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c9t5q.kozhevnik6lan.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748259/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748259; rev:1;) alert tcp $HOME_NET any -> [45.74.19.28] 443 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748258/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updater"; depth:8; nocase; http.host; content:"endlessgrumbler.cc"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748257/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748257; rev:1;) alert tcp $HOME_NET any -> [144.172.105.225] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747941/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747941; rev:1;) alert tcp $HOME_NET any -> [141.94.23.83] 14433 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747943/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747943; rev:1;) alert tcp $HOME_NET any -> [54.38.55.91] 14433 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747944/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747944; rev:1;) alert tcp $HOME_NET any -> [147.185.221.211] 60581 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747955/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747955; rev:1;) alert tcp $HOME_NET any -> [78.29.43.89] 1488 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747958/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747958; rev:1;) alert tcp $HOME_NET any -> [158.94.210.195] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747967/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747967; rev:1;) alert tcp $HOME_NET any -> [78.29.43.89] 40544 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747987/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747987; rev:1;) alert tcp $HOME_NET any -> [185.208.159.174] 1337 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747991/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747991; rev:1;) alert tcp $HOME_NET any -> [104.168.7.222] 15407 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748000/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748000; rev:1;) alert tcp $HOME_NET any -> [193.187.91.209] 54073 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748001/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748001; rev:1;) alert tcp $HOME_NET any -> [198.244.201.139] 3964 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748060/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748060; rev:1;) alert tcp $HOME_NET any -> [104.250.167.52] 9095 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748064/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uqhjqliqb4shjkmd.frostapi.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747984/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"upload.frostapi.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747985/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evasivestars.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747989/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"176.65.148.31.ptr.pfcloud.network"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748069/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_14; classtype:trojan-activity; sid:91748069; rev:1;) alert tcp $HOME_NET any -> [176.65.148.31] 51321 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748070/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_14; classtype:trojan-activity; sid:91748070; rev:1;) alert tcp $HOME_NET any -> [172.235.171.65] 40639 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748080/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748080; rev:1;) alert tcp $HOME_NET any -> [146.70.226.138] 5103 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748082/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748082; rev:1;) alert tcp $HOME_NET any -> [147.185.221.181] 9539 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748108/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748108; rev:1;) alert tcp $HOME_NET any -> [155.117.44.130] 1337 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748113/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748113; rev:1;) alert tcp $HOME_NET any -> [169.224.4.4] 37625 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748116/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckvyonlulzcjnleiknrmvmwouqvjkgaijcagpspr.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748120/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gwdvcxhfzaplyiyvcpfbdepelkxnegdnjnywopeb.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748121/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qkoyfenxbyimpvnbsoibyfovpdydxjghovpqzxys.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748123/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ragxggbbhytljtuxtdkltyucygeyvegfctbsurnz.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748124/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uhadenozoowgoxokqgjvctlehtjmhwyocirfrjcg.duckdns.org"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748135/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748135; rev:1;) alert tcp $HOME_NET any -> [107.152.32.98] 2557 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748136/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748136; rev:1;) alert tcp $HOME_NET any -> [34.41.139.193] 5202 (msg:"ThreatFox NetWire RC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748199/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"portuge.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748209/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748209; rev:1;) alert tcp $HOME_NET any -> [141.227.129.198] 14433 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748216/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748216; rev:1;) alert tcp $HOME_NET any -> [147.185.221.29] 34986 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748223/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748223; rev:1;) alert tcp $HOME_NET any -> [198.244.201.139] 3913 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748194/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brekaz.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748196/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"brekaz.shop"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748197/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748197; rev:1;) alert tcp $HOME_NET any -> [161.35.110.36] 24598 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748250/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fxplay.in"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747757/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"displaysecurity.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747756/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"liveworkplaylkn.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747758/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ranchernandez.store"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747759/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sportsstories.gr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747760/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"constructora-alpigroup.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747761/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"territoriodoagro.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747762/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"razzledazzlejewelrystore.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747764/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thewigdoctorshop.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747763/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"meguri-toroge.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747765/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"storehouseholdingsinc.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747766/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ajedrezchiletorneos.cl"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747768/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"campbrainstorm.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747767/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"anotherroadtutoring.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747769/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"protectormexico.com.mx"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747770/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bekaskantor.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747771/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shreeshyammotors.in"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747772/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"creators--cloud.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747773/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"arnaelevators.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747774/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thewrightgiftstore.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747775/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tentori.cloud"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747776/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"buckscountytaxattorney.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747777/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wiki.webitfactory.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747778/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cuve-fioul-services.fr"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747779/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"divinedirectory.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747780/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thekeyfactor.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747781/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"prospectorplumbing.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747782/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"translator.isotoop.be"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747783/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smtp.bldg-restoration.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747784/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91747784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cyrex.cc"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747749/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"74.0.48.100"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747746/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.terriberrynj.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747748/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747748; rev:1;) alert tcp $HOME_NET any -> [43.228.157.33] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747623/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_14; classtype:trojan-activity; sid:91747623; rev:1;) alert tcp $HOME_NET any -> [64.190.113.206] 79 (msg:"ThreatFox MintsLoader payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747542/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747542; rev:1;) alert tcp $HOME_NET any -> [124.198.132.104] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747537/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747537; rev:1;) alert tcp $HOME_NET any -> [104.156.155.94] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747514/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747514; rev:1;) alert tcp $HOME_NET any -> [156.247.41.106] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 77%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747515/; target:src_ip; metadata: confidence_level 77, first_seen 2026_02_14; classtype:trojan-activity; sid:91747515; rev:1;) alert tcp $HOME_NET any -> [185.177.57.70] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 88%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747485/; target:src_ip; metadata: confidence_level 88, first_seen 2026_02_14; classtype:trojan-activity; sid:91747485; rev:1;) alert tcp $HOME_NET any -> [85.120.81.158] 18916 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747487/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91747487; rev:1;) alert tcp $HOME_NET any -> [101.200.193.211] 8086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748256/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zjrhp8su2.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748255/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"captiort.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748254/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"task.osmagnatas.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748253/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748253; rev:1;) alert tcp $HOME_NET any -> [95.31.213.79] 8000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748252/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748252; rev:1;) alert tcp $HOME_NET any -> [138.252.132.50] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748251/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bju1b4zl.websphere.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748249/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qhqkhnsg.websphere.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748248/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nab0k0v-llnk.nabokov30slam.coupons"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748247/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748247; rev:1;) alert tcp $HOME_NET any -> [147.185.221.29] 3765 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748246/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"verbatim.nabokov30slam.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748245/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z3n7a.nabokov30slam.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748244/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pr1sk-rnate.prisk7tarvo.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748243/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"outpost.prisk7tarvo.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748241/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m6r8p.prisk7tarvo.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748237/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"f1int-0rb.flint1zarco.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748236/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748236; rev:1;) alert tcp $HOME_NET any -> [185.196.8.2] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748234/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cascade.flint1zarco.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748233/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ns2.bbcbook.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748232/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ns1.bbcbook.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748231/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t4k2n.flint1zarco.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748230/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cr1nt-vvay.crint3valko.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748229/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"saffron.crint3valko.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748228/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748228; rev:1;) alert tcp $HOME_NET any -> [151.242.152.131] 79 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748227/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748227; rev:1;) alert tcp $HOME_NET any -> [151.242.152.131] 1234 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748225/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748225; rev:1;) alert tcp $HOME_NET any -> [151.242.152.131] 2345 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748226/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748226; rev:1;) alert tcp $HOME_NET any -> [47.237.82.83] 520 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748224/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"drawnbe.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748222/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748222; rev:1;) alert tcp $HOME_NET any -> [18.180.199.50] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748220/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748220; rev:1;) alert tcp $HOME_NET any -> [45.151.236.233] 3765 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748218/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748218; rev:1;) alert tcp $HOME_NET any -> [210.87.69.224] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748219/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.xoilaczzasz.tv"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748215/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_14; classtype:trojan-activity; sid:91748215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"q7m9v.crint3valko.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748214/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b1int-rnix.blint8darvo.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748213/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"harvest.blint8darvo.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748211/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x8p3a.blint8darvo.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748210/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"portuge.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1748208/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748208; rev:1;) alert tcp $HOME_NET any -> [107.172.31.102] 8881 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748207/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748207; rev:1;) alert tcp $HOME_NET any -> [80.97.160.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748206/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748206; rev:1;) alert tcp $HOME_NET any -> [213.64.72.46] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748205/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748205; rev:1;) alert tcp $HOME_NET any -> [156.234.94.213] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748204/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"securityalarms.us.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748203/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nhl.it.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748202/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"natur-klang.waldlied.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748201/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gruen-blatt.waldlied.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748198/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coffre-fort.noitresor.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748195/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mon-tresor.noitresor.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748192/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vn-vlxx.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748191/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wald-lauf.herbstlauf.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748190/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748190; rev:1;) alert tcp $HOME_NET any -> [172.67.223.20] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748188/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748188; rev:1;) alert tcp $HOME_NET any -> [172.67.223.20] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748189/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748189; rev:1;) alert tcp $HOME_NET any -> [172.67.135.231] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748186/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748186; rev:1;) alert tcp $HOME_NET any -> [172.67.135.231] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748187/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748187; rev:1;) alert tcp $HOME_NET any -> [104.21.70.134] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748185/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748185; rev:1;) alert tcp $HOME_NET any -> [104.21.7.84] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748183/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748183; rev:1;) alert tcp $HOME_NET any -> [104.21.70.134] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748184/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748184; rev:1;) alert tcp $HOME_NET any -> [104.21.7.84] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748182/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"boscodellabella.ch"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748181/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gold-zeit.herbstlauf.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748180/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t72k-30675.portmap.host"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748179/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ggmenp120-43957.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748178/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"odayrifaii-37201.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748177/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748177; rev:1;) alert tcp $HOME_NET any -> [65.153.151.24] 8800 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748176/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748176; rev:1;) alert tcp $HOME_NET any -> [46.148.231.117] 587 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748175/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748175; rev:1;) alert tcp $HOME_NET any -> [23.235.179.118] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748174/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748174; rev:1;) alert tcp $HOME_NET any -> [163.181.123.15] 4506 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748173/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748173; rev:1;) alert tcp $HOME_NET any -> [13.115.210.186] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748172/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nuit-douce.revesage.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748171/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hotehotehotel123.dynuddns.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748169/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748169; rev:1;) alert tcp $HOME_NET any -> [195.177.94.132] 8443 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748166/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748166; rev:1;) alert tcp $HOME_NET any -> [91.92.242.165] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748165/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748165; rev:1;) alert tcp $HOME_NET any -> [89.124.67.107] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748164/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"grand-reve.revesage.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748156/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kalt-start.winterzug.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748155/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eis-bahn.winterzug.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748153/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eco-nature.clairforet.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748152/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bois-vert.clairforet.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748150/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748150; rev:1;) alert tcp $HOME_NET any -> [160.191.77.61] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748149/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748149; rev:1;) alert tcp $HOME_NET any -> [196.251.107.159] 2222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748148/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748148; rev:1;) alert tcp $HOME_NET any -> [23.226.58.249] 28713 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748147/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stern-fahrt.stolzmond.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748145/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748145; rev:1;) alert tcp $HOME_NET any -> [192.252.181.116] 448 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748144/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748144; rev:1;) alert tcp $HOME_NET any -> [192.252.181.120] 448 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748142/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748142; rev:1;) alert tcp $HOME_NET any -> [192.252.181.116] 447 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748143/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.196.33.68"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1748141/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mond-schein.stolzmond.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748140/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748140; rev:1;) alert tcp $HOME_NET any -> [172.111.213.110] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748139/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748139; rev:1;) alert tcp $HOME_NET any -> [152.89.162.5] 50987 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748138/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webxio1231-40781.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748134/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7mgtwzocu.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748133/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748133; rev:1;) alert tcp $HOME_NET any -> [107.163.241.194] 6520 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748132/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748132; rev:1;) alert tcp $HOME_NET any -> [212.28.186.94] 7004 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748131/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748131; rev:1;) alert tcp $HOME_NET any -> [192.144.211.249] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748130/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748130; rev:1;) alert tcp $HOME_NET any -> [128.90.115.3] 4433 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748129/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748129; rev:1;) alert tcp $HOME_NET any -> [195.66.215.248] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748128/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748128; rev:1;) alert tcp $HOME_NET any -> [169.40.135.7] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748127/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748127; rev:1;) alert tcp $HOME_NET any -> [194.164.96.98] 1803 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748126/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748126; rev:1;) alert tcp $HOME_NET any -> [172.96.137.80] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748125/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_14; classtype:trojan-activity; sid:91748125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"promo-libre.ventdoux.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748122/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748122; rev:1;) alert tcp $HOME_NET any -> [156.234.94.210] 37812 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748119/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748119; rev:1;) alert tcp $HOME_NET any -> [156.234.56.34] 19273 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748118/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.koga.ar"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748117/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_14; classtype:trojan-activity; sid:91748117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vent-frais.ventdoux.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748115/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blitz-deal.blaukraft.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748112/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"top-angebot.blaukraft.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748110/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748110; rev:1;) alert tcp $HOME_NET any -> [199.101.111.60] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748107/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748107; rev:1;) alert tcp $HOME_NET any -> [43.201.5.24] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748106/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748106; rev:1;) alert tcp $HOME_NET any -> [168.245.203.77] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748105/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748105; rev:1;) alert tcp $HOME_NET any -> [199.101.111.55] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748104/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748104; rev:1;) alert tcp $HOME_NET any -> [45.227.253.115] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748103/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748103; rev:1;) alert tcp $HOME_NET any -> [213.142.151.94] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748102/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748102; rev:1;) alert tcp $HOME_NET any -> [149.28.254.111] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748101/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748101; rev:1;) alert tcp $HOME_NET any -> [172.93.222.219] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748100/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748100; rev:1;) alert tcp $HOME_NET any -> [149.50.96.57] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748099/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748099; rev:1;) alert tcp $HOME_NET any -> [43.249.175.83] 37812 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748098/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_14; classtype:trojan-activity; sid:91748098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"super-prix.pommerouge.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748097/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"extra-bonus.pommerouge.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748096/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748096; rev:1;) alert tcp $HOME_NET any -> [185.241.211.85] 10001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748094/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748094; rev:1;) alert tcp $HOME_NET any -> [103.236.92.166] 83 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748093/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91748093; rev:1;) alert tcp $HOME_NET any -> [43.249.175.92] 37812 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748092/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748092; rev:1;) alert tcp $HOME_NET any -> [47.113.98.240] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748091/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748091; rev:1;) alert tcp $HOME_NET any -> [104.168.7.222] 15409 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748090/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.timaglobalservices.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748087/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.timaglobalservicesbackup1.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748088/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.timaglobalservicesbackup2.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748089/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"grandmonde.f2ctoryp1anet.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748084/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"globalwork.f2ctoryp1anet.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748078/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"geheimcode.cav1ng5cript.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748077/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"deepdark.cav1ng5cript.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748076/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748076; rev:1;) alert tcp $HOME_NET any -> [135.125.88.35] 8013 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748075/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_13; classtype:trojan-activity; sid:91748075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"toutsavoir.f2bricat9sar.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748074/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748074; rev:1;) alert tcp $HOME_NET any -> [172.81.182.63] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748073/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748073; rev:1;) alert tcp $HOME_NET any -> [38.135.54.246] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748072/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748072; rev:1;) alert tcp $HOME_NET any -> [209.141.57.1] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1748071/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ironsteel.f2bricat9sar.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748068/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mainrepair.du5tmanrepai7.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748067/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"quickfix.du5tmanrepai7.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748063/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zaraazra.mitreeki.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748059/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"thewheel.staging.ebowdev.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748055/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vapekz.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748056/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"unicprimavera.com.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748057/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vitanatura-gr.ekd.fwv.mybluehost.me"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748058/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"spanishtravelandstudies.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748051/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ringer.vn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748052/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smtp.arcmidlands.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748053/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"testes.nsgrafica.ao"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748054/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"selax.pl"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748049/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sfgraphics.com.ar"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748050/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pi.afiunemaya.com.mx"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748048/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"old.se.staging.xrf.digital"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748046/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"portal.habitatbonaire.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748047/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ns2.liposemcortes3d.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748041/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ns2.ivamediagroup.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748042/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nolamz.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748043/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"np.hanse-werbeshop.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748044/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"noihamxuong.cokhiviendong.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748045/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.satitravel.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748037/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.theoldschool.sc"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748038/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nhacaired88.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748039/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nieuwsbrief.kinderkoopjesjager.nl"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748040/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.residencial-primecaxias.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748033/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.rolyatmosi.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748034/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.thebluestartrans.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748035/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"martina-riederer.de"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748036/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.dudethatdelivers.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748028/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.gerafort.com.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748029/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.elitechoiceig.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748030/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.guestpertpublishing.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748031/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.bestfsg.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748032/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lovehun.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748025/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.afforableappliancerepair.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748026/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.caminosac.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748027/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"invoices.plus-ed.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748021/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"imap.arcmidlands.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748022/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hrh.tkn.mybluehost.me"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748023/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"littlejoyonline.nl"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748024/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"helmut-riederer.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748019/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"howcouldyouloseweightfast.moneymaking-opportunities.com"; depth:55; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748020/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"epicentreglobalevents.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748015/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dev.dary.com.qa"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748016/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ff-walbersdorf.at"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748017/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ftp.ndpparticipacoes.com.br"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748018/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"baltonmed.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748012/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ejewel.whizzo-tech.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748013/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"faqs-postgraduate.nu.edu.eg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748014/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"clubemperor.com.sg"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748009/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bxl.myinvestment.properties"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748010/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"case3.test-wl.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748011/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"autodiscover.shalomstudios.in"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748006/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"awareness.accarda.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748007/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"assine-gap.conk.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748008/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"acc.dms.mechan.nl"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748004/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aicenterworld.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748005/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"26430.b3307.dhpage.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1748003/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91748003; rev:1;) alert tcp $HOME_NET any -> [99.79.77.16] 20971 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747999/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747999; rev:1;) alert tcp $HOME_NET any -> [43.210.93.81] 24042 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747998/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747998; rev:1;) alert tcp $HOME_NET any -> [27.223.85.234] 62443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747997/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747997; rev:1;) alert tcp $HOME_NET any -> [13.230.133.203] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747996/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747996; rev:1;) alert tcp $HOME_NET any -> [18.118.117.51] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747995/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747995; rev:1;) alert tcp $HOME_NET any -> [67.213.113.231] 1982 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747994/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747994; rev:1;) alert tcp $HOME_NET any -> [23.226.58.239] 37812 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747993/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747993; rev:1;) alert tcp $HOME_NET any -> [144.31.1.147] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747990/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"edlerkranz.be5t2lancrown.ru"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747988/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"topking.be5t2lancrown.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747986/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"argentvif.8etmon1sto.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747983/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"goldcoin.8etmon1sto.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747982/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yassinekjdkfj-42734.portmap.host"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747981/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747981; rev:1;) alert tcp $HOME_NET any -> [187.170.215.28] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747980/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747980; rev:1;) alert tcp $HOME_NET any -> [1.14.236.218] 38886 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747979/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747979; rev:1;) alert tcp $HOME_NET any -> [1.14.236.218] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747978/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747978; rev:1;) alert tcp $HOME_NET any -> [193.43.104.157] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747977/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747977; rev:1;) alert tcp $HOME_NET any -> [160.250.134.125] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747976/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747976; rev:1;) alert tcp $HOME_NET any -> [45.88.186.203] 9999 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747975/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"altstadt.ja8u2rudila.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747974/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747974; rev:1;) alert tcp $HOME_NET any -> [186.123.85.29] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747973/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747973; rev:1;) alert tcp $HOME_NET any -> [202.91.34.52] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747972/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747972; rev:1;) alert tcp $HOME_NET any -> [20.211.49.27] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747971/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747971; rev:1;) alert tcp $HOME_NET any -> [172.236.114.73] 11602 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747969/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747969; rev:1;) alert tcp $HOME_NET any -> [172.233.12.93] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747968/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stonework.ja8u2rudila.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747966/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747966; rev:1;) alert tcp $HOME_NET any -> [104.131.172.70] 8384 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747965/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747965; rev:1;) alert tcp $HOME_NET any -> [103.245.38.125] 6197 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747963/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747963; rev:1;) alert tcp $HOME_NET any -> [102.117.162.28] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747962/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"douceurpure.dy5trops7uffy.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747960/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"softcloud.dy5trops7uffy.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747957/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"124.198.132.104"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1747954/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"telemetry.getupi.in.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747953/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updates.getupi.in.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747952/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tv88.us.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747950/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getupi.in.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747951/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"releases-scale.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747948/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747948; rev:1;) alert tcp $HOME_NET any -> [144.31.164.226] 56778 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747949/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nx402bji.digimatrix.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747947/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5rfgvs2q.digimatrix.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747946/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"darkclouds.drop8rain.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747945/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"truesir.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747942/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"audioza.cyou"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747940/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"calc-rn1.connect8mathem.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747939/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747939; rev:1;) alert tcp $HOME_NET any -> [178.128.69.245] 80 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747937/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747937; rev:1;) alert tcp $HOME_NET any -> [178.128.69.245] 443 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747938/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/agents/heartbeat"; depth:21; nocase; http.host; content:"178.128.69.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747935/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/agents/heartbeat"; depth:21; nocase; http.host; content:"178.128.69.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747936/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trustconnectsoftware.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747934/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/agents/heartbeat"; depth:21; nocase; http.host; content:"trustconnectsoftware.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747933/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"formula.connect8mathem.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747932/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c9n4p.connect8mathem.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747930/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pr0ph3t.fortune23tv.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747929/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"oracle.fortune23tv.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747928/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.reumatologonorte.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747909/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.rockfest-game.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747910/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.selinavordest.asia"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747911/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.serenitycopperpeptides.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747912/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.serverkamboja.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747913/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.slomelly.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747914/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ss8a30gt.bond"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747915/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.theaiprondirectory.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747916/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tisvxh.sbs"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747917/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.vaycasino1864.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747918/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.violinsforsale.store"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747919/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.visual-dna.ai"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747920/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.watcher.gifts"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747921/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.webweavers.kr"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747922/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.wsminshop8.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747923/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.xcggg.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747924/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.xfqxaa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747925/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.yuristkon.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747926/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ziga555slot.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747927/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.inaurainsurance.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747890/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.indigo-moose.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747891/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ippyaaj.sbs"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747892/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.irisbankid.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747893/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.jackpotindex.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747894/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.jellyfishsaigon.cloud"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747895/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.kler8a.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747896/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.lezmansion.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747897/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.liftu.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747898/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.livinglearninglaughing.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747899/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.mainhu.id.vn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747900/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.movaprivate.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747901/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.mvcty.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747902/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nika-casino-es.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747903/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.nup5un.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747904/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.odysseymarketingcrew.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747905/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.opbpxqjk.bond"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747906/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.pzqwz.icu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747907/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.r4u6wi.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747908/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.canadausatimeshare.us"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747872/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.cranered.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747873/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.crazyalaskandrivers.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747874/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.cuzziecaresystems.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747875/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.cy2xr302.vip"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747876/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.davebmale.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747877/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.dosalpick.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747878/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.dr-karimaccountant.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747879/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.dreamyhub.com.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747880/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.drenithej.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747881/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.dyizzhj.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747882/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ekdalsperspektiv.se"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747883/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.emrcustoms.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747884/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.evermarkmercantile.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747885/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.fareqr.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747886/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.feyzc8.vip"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747887/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.fw81e5z7r3b-ghe9.top"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747888/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.genomic.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747889/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.1orei.cyou"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747863/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.53974.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747864/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.9wcxao.bond"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747865/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.agentedger.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747866/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.aiconsultancy.ch"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747867/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.appdasmagras.com.br"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747868/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bannedbookstore.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747869/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.brainbloom.ai"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747870/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.buyozz.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747871/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.xcggg.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747859/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.xfqxaa.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747860/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.yuristkon.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747861/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.ziga555slot.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747862/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.serverkamboja.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747848/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.slomelly.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747849/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.ss8a30gt.bond"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747850/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.theaiprondirectory.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747851/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.tisvxh.sbs"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747852/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.vaycasino1864.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747853/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.violinsforsale.store"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747854/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.visual-dna.ai"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747855/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.watcher.gifts"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747856/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.webweavers.kr"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747857/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.wsminshop8.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747858/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.nup5un.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747839/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.odysseymarketingcrew.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747840/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.opbpxqjk.bond"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747841/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.pzqwz.icu"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747842/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.r4u6wi.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747843/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.reumatologonorte.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747844/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.rockfest-game.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747845/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.selinavordest.asia"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747846/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.serenitycopperpeptides.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747847/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.jellyfishsaigon.cloud"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747830/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.kler8a.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747831/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.lezmansion.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747832/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.liftu.shop"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747833/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.livinglearninglaughing.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747834/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.mainhu.id.vn"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747835/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.movaprivate.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747836/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.mvcty.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747837/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.nika-casino-es.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747838/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.emrcustoms.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747819/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.evermarkmercantile.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747820/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.fareqr.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747821/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.feyzc8.vip"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747822/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.fw81e5z7r3b-ghe9.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747823/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.genomic.site"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747824/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.inaurainsurance.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747825/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.indigo-moose.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747826/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.ippyaaj.sbs"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747827/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.irisbankid.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747828/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.jackpotindex.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747829/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.cuzziecaresystems.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747810/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.cy2xr302.vip"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747811/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.davebmale.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747812/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.dosalpick.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747813/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.dr-karimaccountant.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747814/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.dreamyhub.com.br"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747815/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.drenithej.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747816/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.dyizzhj.info"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747817/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.ekdalsperspektiv.se"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747818/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.9wcxao.bond"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747800/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.agentedger.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747801/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.aiconsultancy.ch"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747802/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.appdasmagras.com.br"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747803/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.bannedbookstore.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747804/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.brainbloom.ai"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747805/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.buyozz.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747806/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.canadausatimeshare.us"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747807/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.cranered.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747808/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.crazyalaskandrivers.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747809/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.1orei.cyou"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747798/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gn29/"; depth:6; nocase; http.host; content:"www.53974.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747799/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r5m2x.fortune23tv.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747797/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w1nd-ll.whirl189wind.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747796/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747796; rev:1;) alert tcp $HOME_NET any -> [54.255.55.251] 119 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747794/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747794; rev:1;) alert tcp $HOME_NET any -> [54.255.55.251] 31969 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747792/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747792; rev:1;) alert tcp $HOME_NET any -> [54.255.55.251] 44819 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747793/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747793; rev:1;) alert tcp $HOME_NET any -> [51.112.178.33] 7001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747790/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747790; rev:1;) alert tcp $HOME_NET any -> [51.112.178.33] 47001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747791/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747791; rev:1;) alert tcp $HOME_NET any -> [69.167.10.211] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747789/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747789; rev:1;) alert tcp $HOME_NET any -> [213.10.177.103] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747788/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747788; rev:1;) alert tcp $HOME_NET any -> [181.214.100.216] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747787/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747787; rev:1;) alert tcp $HOME_NET any -> [156.234.33.82] 19273 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747786/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"breeze.whirl189wind.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747752/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a6t9q.whirl189wind.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747751/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"st0ne-rn.mile163stone.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747747/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747747; rev:1;) alert tcp $HOME_NET any -> [213.14.185.201] 1604 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747745/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marker.mile163stone.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747744/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747744; rev:1;) alert tcp $HOME_NET any -> [23.236.64.252] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747743/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747743; rev:1;) alert tcp $HOME_NET any -> [74.81.49.19] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747742/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747742; rev:1;) alert tcp $HOME_NET any -> [13.232.97.61] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747741/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747741; rev:1;) alert tcp $HOME_NET any -> [8.148.251.204] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747740/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747740; rev:1;) alert tcp $HOME_NET any -> [16.171.54.42] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747739/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747739; rev:1;) alert tcp $HOME_NET any -> [23.235.182.118] 37812 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747738/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p8x4n.mile163stone.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747737/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c1ear-v.clint9vargo.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747734/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"signal.clint9vargo.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747543/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gor.emiraride.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747540/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gor.megaexdistribuidora.com.br"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747541/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gor.emiraride.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747538/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gor.megaexdistribuidora.com.br"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747539/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m3q7v.clint9vargo.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747536/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rnove5.drift2cargo.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747535/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"67ocfzzz.hangesulka.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747534/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iws3hffo.hangesulka.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747533/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vector.drift2cargo.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747532/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z9t2d.drift2cargo.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747528/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747528; rev:1;) alert tcp $HOME_NET any -> [4.154.22.123] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747527/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"harbor.plint7marco.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747523/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k4m8q.plint7marco.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747518/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"n0va-rn.brisk4tango.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747517/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747517; rev:1;) alert tcp $HOME_NET any -> [155.117.40.221] 1337 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747513/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747513; rev:1;) alert tcp $HOME_NET any -> [157.241.106.252] 8013 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747512/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747512; rev:1;) alert tcp $HOME_NET any -> [54.93.123.57] 30005 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747510/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747510; rev:1;) alert tcp $HOME_NET any -> [54.93.123.57] 50805 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747511/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747511; rev:1;) alert tcp $HOME_NET any -> [13.245.28.15] 18084 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747509/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747509; rev:1;) alert tcp $HOME_NET any -> [3.71.79.244] 34009 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747508/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747508; rev:1;) alert tcp $HOME_NET any -> [196.251.107.148] 2222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747507/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747507; rev:1;) alert tcp $HOME_NET any -> [195.184.233.126] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747506/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"echo3.brisk4tango.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747505/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x7p9a.brisk4tango.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747504/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"legend.griv8ton5za.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747503/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747503; rev:1;) alert tcp $HOME_NET any -> [58.144.179.206] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747502/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747502; rev:1;) alert tcp $HOME_NET any -> [58.144.179.206] 36915 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747501/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747501; rev:1;) alert tcp $HOME_NET any -> [43.164.1.146] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747500/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747500; rev:1;) alert tcp $HOME_NET any -> [109.107.161.96] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747499/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747499; rev:1;) alert tcp $HOME_NET any -> [206.189.213.116] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747498/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747498; rev:1;) alert tcp $HOME_NET any -> [78.128.113.150] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747497/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747497; rev:1;) alert tcp $HOME_NET any -> [62.102.148.166] 3066 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747495/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747495; rev:1;) alert tcp $HOME_NET any -> [94.185.80.230] 3066 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747496/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747496; rev:1;) alert tcp $HOME_NET any -> [51.45.54.250] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747494/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747494; rev:1;) alert tcp $HOME_NET any -> [107.172.31.102] 8891 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747493/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747493; rev:1;) alert tcp $HOME_NET any -> [154.86.18.142] 14994 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747492/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747492; rev:1;) alert tcp $HOME_NET any -> [139.196.37.127] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747491/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747491; rev:1;) alert tcp $HOME_NET any -> [38.60.206.124] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747490/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747490; rev:1;) alert tcp $HOME_NET any -> [107.174.176.19] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747488/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laalmirchitakeaway.co.uk"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747489/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wunder.griv8ton5za.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747486/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"finesse.plon6var1ty.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747484/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pst.emiraride.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747479/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pst.megaexdistribuidora.com.br"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747480/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pst.emiraride.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747477/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pst.megaexdistribuidora.com.br"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747478/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sitemap.xml"; depth:12; nocase; http.host; content:"51.77.77.161"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747476/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747476; rev:1;) alert tcp $HOME_NET any -> [46.203.233.102] 1337 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747111/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747111; rev:1;) alert tcp $HOME_NET any -> [194.59.30.214] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747465/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747465; rev:1;) alert tcp $HOME_NET any -> [158.94.211.18] 5909 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747468/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"horizon.plon6var1ty.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747474/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747474; rev:1;) alert tcp $HOME_NET any -> [52.90.129.186] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747472/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747472; rev:1;) alert tcp $HOME_NET any -> [204.76.203.41] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747469/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"koenig.tron6val4ky.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747464/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zpwtceh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747462/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747462; rev:1;) alert tcp $HOME_NET any -> [12.7.27.147] 7220 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747459/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747459; rev:1;) alert tcp $HOME_NET any -> [116.26.10.158] 36010 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747458/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747458; rev:1;) alert tcp $HOME_NET any -> [46.224.11.92] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747453/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747453; rev:1;) alert tcp $HOME_NET any -> [151.247.22.188] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747454/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747454; rev:1;) alert tcp $HOME_NET any -> [151.247.22.211] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747455/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747455; rev:1;) alert tcp $HOME_NET any -> [46.225.137.109] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747456/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"huu.emiraride.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747451/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"huu.megaexdistribuidora.com.br"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747452/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"huu.megaexdistribuidora.com.br"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747445/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.224.11.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747446/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"151.247.22.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747447/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"151.247.22.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747448/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"46.225.137.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747449/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"151.247.22.212"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747450/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"huu.emiraride.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747444/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bravery.fron4tek7ly.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747443/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747443; rev:1;) alert tcp $HOME_NET any -> [154.90.32.188] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747442/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747442; rev:1;) alert tcp $HOME_NET any -> [52.196.110.202] 60000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747441/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747441; rev:1;) alert tcp $HOME_NET any -> [52.196.110.202] 51200 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747440/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747440; rev:1;) alert tcp $HOME_NET any -> [52.196.110.202] 2000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747439/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747439; rev:1;) alert tcp $HOME_NET any -> [143.198.148.203] 4443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747438/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747438; rev:1;) alert tcp $HOME_NET any -> [40.177.153.83] 1962 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747437/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747437; rev:1;) alert tcp $HOME_NET any -> [5.175.192.114] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747436/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747436; rev:1;) alert tcp $HOME_NET any -> [83.147.19.146] 5555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747435/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747435; rev:1;) alert tcp $HOME_NET any -> [198.244.243.243] 4056 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747434/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747434; rev:1;) alert tcp $HOME_NET any -> [83.229.127.46] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747433/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747433; rev:1;) alert tcp $HOME_NET any -> [43.243.191.236] 37812 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747432/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"7zip.cloud"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747430/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pulse.herosms.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747419/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"spark.herosms.io"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747420/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mint.smshero.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747421/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zest.hero-sms.ai"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747422/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"neo.herosms.co"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747423/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"flux.smshero.co"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747424/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"prime.herosms.vip"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747425/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"apex.herosms.ai"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747426/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vivid.smshero.vip"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747427/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"glide.smshero.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747428/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nova.smshero.ai"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747429/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"techcross-wne.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747418/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"35.tcp.cpolar.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747417/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"investonline.in"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747416/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/2dmbx2gb"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747412/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/w7tayq0k"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747413/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/s9dq5qmx"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747414/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747414; rev:1;) alert tcp $HOME_NET any -> [94.103.83.166] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747411/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"amarreansy.dynuddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747407/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.emergingwolrdgroup.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747408/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.prangurop.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747409/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.prgovreseas.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747410/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"homeforsaleinaustin.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747406/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/malyka/panel/shit.exe"; depth:22; nocase; http.host; content:"www.ttghk.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747405/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lordppl.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747404/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plumbingatlantaga.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747403/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/css/tasks.php"; depth:27; nocase; http.host; content:"aofkamu.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747402/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"js.zianxn.qzz.io"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747400/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mu-minhvuong.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747401/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bot.loadzicoo.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747399/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tailor/fre.php"; depth:15; nocase; http.host; content:"freeschoolbox.info"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747398/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.supuda.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747388/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.theassamvibe.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747389/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tradeswindservices.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747390/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.tusarun.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747391/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.v47hmab703.forum"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747392/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.vendoremporiumrc.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747393/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.vrindavan.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747394/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.wecht2025.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747395/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.xn--o39a4rfls25drvhv3h.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747396/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.zf12521.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747397/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.mrplindia.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747369/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.mugguru.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747370/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.mylittlechart.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747371/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ocalrank.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747372/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.p6uy.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747373/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.parientchain.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747374/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.pawmfy.store"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747375/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.petbelles.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747376/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.portuguese.guru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747377/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.prithvihairexports.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747378/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.reyaan.tech"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747379/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.s11c3j.vip"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747380/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.shegotthehookup.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747381/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.shu9.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747382/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.shuelab.kr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747383/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.shzlpjum.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747384/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.skyvibes.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747385/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.smartguardinnovations.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747386/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.streetwisecinema.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747387/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.fashionistareign.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747351/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.feo7om.bond"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747352/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.fermonhomerepairs.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747353/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.filesxyz.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747354/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.freshero.my"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747355/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.g7fdnl.bond"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747356/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.gmotionvfx.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747357/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.i36eg963gd.forum"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747358/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ikkvzr.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747359/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.infomere.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747360/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.isvqnfgq.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747361/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.iyi73.cfd"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747362/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.jhpifr.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747363/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.lawyerconnectindia.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747364/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.loquieroya.website"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747365/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.m3fgct.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747366/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.m41mg.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747367/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.malayshophk.site"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747368/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.1f9863be829c59ca.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747334/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.7mfmgsh.sbs"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747335/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.aa8668.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747336/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.allthetastings.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747337/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ardinsys.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747338/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ashenfrostblissful.shop"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747339/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.b17825924.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747340/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bankweek.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747341/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.bigsbetcasino-ubv.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747342/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.boukharicharicapllc.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747343/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.caupons.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747344/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.couar.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747345/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.cuy9qk.sbs"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747346/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.dbst1o.bond"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747347/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.ellejeantaylorglow.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747348/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.estaon.store"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747349/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.fashioningcommunuty.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747350/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.tradeswindservices.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747326/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.tusarun.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747327/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.v47hmab703.forum"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747328/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.vendoremporiumrc.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747329/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.vrindavan.online"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747330/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.wecht2025.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747331/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.xn--o39a4rfls25drvhv3h.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747332/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.zf12521.info"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747333/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.s11c3j.vip"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747316/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.shegotthehookup.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747317/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.shu9.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747318/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.shuelab.kr"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747319/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.shzlpjum.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747320/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.skyvibes.info"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747321/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.smartguardinnovations.site"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747322/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.streetwisecinema.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747323/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.supuda.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747324/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.theassamvibe.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747325/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.mylittlechart.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747307/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.ocalrank.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747308/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.p6uy.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747309/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.parientchain.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747310/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.pawmfy.store"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747311/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.petbelles.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747312/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.portuguese.guru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747313/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.prithvihairexports.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747314/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.reyaan.tech"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747315/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.isvqnfgq.click"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747297/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.iyi73.cfd"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747298/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.jhpifr.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747299/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.lawyerconnectindia.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747300/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.loquieroya.website"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747301/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.m3fgct.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747302/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.m41mg.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747303/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.malayshophk.site"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747304/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.mrplindia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747305/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.mugguru.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747306/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.fermonhomerepairs.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747288/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.filesxyz.online"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747289/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.freshero.my"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747290/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.g7fdnl.bond"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747291/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.gmotionvfx.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747292/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.gurmesra.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747293/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.i36eg963gd.forum"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747294/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.ikkvzr.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747295/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.infomere.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747296/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.boukharicharicapllc.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747278/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.caupons.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747279/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.couar.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747280/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.cuy9qk.sbs"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747281/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.dbst1o.bond"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747282/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.ellejeantaylorglow.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747283/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.estaon.store"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747284/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.fashioningcommunuty.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747285/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.fashionistareign.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747286/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.feo7om.bond"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747287/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.1f9863be829c59ca.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747269/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.7mfmgsh.sbs"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747270/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.aa8668.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747271/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.allthetastings.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747272/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.ardinsys.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747273/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.ashenfrostblissful.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747274/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.b17825924.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747275/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.bankweek.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747276/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds28/"; depth:6; nocase; http.host; content:"www.bigsbetcasino-ubv.ru"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747277/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747277; rev:1;) alert tcp $HOME_NET any -> [179.247.245.136] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747265/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747265; rev:1;) alert tcp $HOME_NET any -> [179.247.245.136] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747266/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747266; rev:1;) alert tcp $HOME_NET any -> [179.247.245.136] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747267/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747267; rev:1;) alert tcp $HOME_NET any -> [26.2.109.252] 3232 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747268/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"08yvh4.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747254/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"adsk2.co.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747255/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"malware.adsk2.co.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747256/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"malware.notebook.ru.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747257/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"malware.phbrowntxflights.za.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747258/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mcehonline-43171.portmap.io"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747259/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"praxisbjj.co.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747260/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v2.www.velocilinx.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747261/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v2.xoilaczzspz.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747262/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v3.www.velocilinx.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747263/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"v3.xoilaczzspz.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747264/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/page/9:1604/"; depth:13; nocase; http.host; content:"mabougies.ch"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747249/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/page/9:443/"; depth:12; nocase; http.host; content:"mabougies.ch"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747250/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/page/9:4782/"; depth:13; nocase; http.host; content:"mabougies.ch"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747251/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/page/9:8080/"; depth:13; nocase; http.host; content:"mabougies.ch"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747252/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/page/9:8848/"; depth:13; nocase; http.host; content:"mabougies.ch"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747253/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"yfmhfrulb.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747248/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"clipsexsub3x.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747243/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"f1erka1-62011.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747244/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sexdep.blog"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747245/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sextop1.page"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747246/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"velocilinx.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747247/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.192.240.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747242/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.2571314.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747241/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ip89.ip-139-99-86.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747240/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"27.102.138.230"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1747239/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ueen-lo.dns.army"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1747238/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"psm-ter.dns.army"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1747237/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/password/five/pvqdq929bsx_a_d_m1n_a.php"; depth:40; nocase; http.host; content:"91.92.243.254"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747236/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mangatoread.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747235/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.jira.devergent.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747234/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g8hrs4f4vh/login.php"; depth:21; nocase; http.host; content:"193.143.1.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747233/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stille.fron4tek7ly.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747232/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"193.111.30.21"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747231/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.245.85.155"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747230/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"77.90.185.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747229/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"coinbasehideicxyz.cc"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747228/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"coinbaseicxyz.cc"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747227/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vmshell.352319.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747226/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ssl.nvidia.fun"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747225/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hebuyu.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747224/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7e1669c87b2a4f93.php"; depth:21; nocase; http.host; content:"77.221.154.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747223/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b5caa8f188054fc8.php"; depth:21; nocase; http.host; content:"159.69.114.128"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747222/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mirage.glor5ven2ta.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747221/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f6c05fe452e5af24.php"; depth:21; nocase; http.host; content:"185.196.10.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747220/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/30f6901d21ae0dd7.php"; depth:21; nocase; http.host; content:"45.88.76.205"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747219/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d7d759eb06ee4a63.php"; depth:21; nocase; http.host; content:"66.63.187.223"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747218/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/47fec8f722884ace.php"; depth:21; nocase; http.host; content:"93.152.230.54"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747217/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747217; rev:1;) alert tcp $HOME_NET any -> [103.106.191.10] 444 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747216/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747216; rev:1;) alert tcp $HOME_NET any -> [185.100.233.121] 443 (msg:"ThreatFox Fickle Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747215/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747215; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 7434 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747214/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747214; rev:1;) alert tcp $HOME_NET any -> [180.131.145.105] 2012 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747213/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747213; rev:1;) alert tcp $HOME_NET any -> [186.169.55.212] 9002 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747212/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747212; rev:1;) alert tcp $HOME_NET any -> [147.50.253.97] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747211/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747211; rev:1;) alert tcp $HOME_NET any -> [45.94.31.17] 5555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747210/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747210; rev:1;) alert tcp $HOME_NET any -> [4.247.145.101] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747209/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747209; rev:1;) alert tcp $HOME_NET any -> [140.238.72.142] 8083 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747208/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747208; rev:1;) alert tcp $HOME_NET any -> [121.89.205.206] 1244 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747207/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747207; rev:1;) alert tcp $HOME_NET any -> [118.122.8.224] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747206/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747206; rev:1;) alert tcp $HOME_NET any -> [159.89.45.99] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747205/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747205; rev:1;) alert tcp $HOME_NET any -> [149.210.45.202] 443 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747204/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747204; rev:1;) alert tcp $HOME_NET any -> [165.232.111.88] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747203/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747203; rev:1;) alert tcp $HOME_NET any -> [203.123.105.20] 80 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747202/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747202; rev:1;) alert tcp $HOME_NET any -> [167.99.217.75] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747201/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747201; rev:1;) alert tcp $HOME_NET any -> [158.94.211.97] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747199/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747199; rev:1;) alert tcp $HOME_NET any -> [161.35.46.30] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747200/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747200; rev:1;) alert tcp $HOME_NET any -> [144.79.12.69] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747198/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747198; rev:1;) alert tcp $HOME_NET any -> [143.110.167.245] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747197/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9d84ea08.php"; depth:13; nocase; http.host; content:"a1230588.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747195/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747195; rev:1;) alert tcp $HOME_NET any -> [45.10.164.177] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747196/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747196; rev:1;) alert tcp $HOME_NET any -> [198.199.122.33] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747194/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747194; rev:1;) alert tcp $HOME_NET any -> [167.86.110.155] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747193/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747193; rev:1;) alert tcp $HOME_NET any -> [167.172.154.26] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747192/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747192; rev:1;) alert tcp $HOME_NET any -> [157.245.176.16] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747191/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747191; rev:1;) alert tcp $HOME_NET any -> [161.35.12.194] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747190/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747190; rev:1;) alert tcp $HOME_NET any -> [209.38.33.240] 8001 (msg:"ThreatFox Aisuru botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747189/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747189; rev:1;) alert tcp $HOME_NET any -> [151.59.35.193] 8080 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747188/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747188; rev:1;) alert tcp $HOME_NET any -> [212.193.31.163] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747187/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747187; rev:1;) alert tcp $HOME_NET any -> [151.59.32.237] 8080 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747186/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747186; rev:1;) alert tcp $HOME_NET any -> [42.237.107.188] 55442 (msg:"ThreatFox Mozi botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747185/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747185; rev:1;) alert tcp $HOME_NET any -> [117.217.90.148] 50009 (msg:"ThreatFox Mozi botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747184/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747184; rev:1;) alert tcp $HOME_NET any -> [117.196.134.17] 33060 (msg:"ThreatFox Mozi botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747183/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747183; rev:1;) alert tcp $HOME_NET any -> [117.215.51.164] 42901 (msg:"ThreatFox Mozi botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747182/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747182; rev:1;) alert tcp $HOME_NET any -> [31.57.33.235] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747181/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747181; rev:1;) alert tcp $HOME_NET any -> [95.130.225.145] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747180/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747180; rev:1;) alert tcp $HOME_NET any -> [189.150.83.128] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747179/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747179; rev:1;) alert tcp $HOME_NET any -> [2.143.154.174] 6001 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747177/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747177; rev:1;) alert tcp $HOME_NET any -> [211.197.155.214] 6000 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747178/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747178; rev:1;) alert tcp $HOME_NET any -> [118.122.8.157] 992 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747176/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747176; rev:1;) alert tcp $HOME_NET any -> [121.89.205.206] 3115 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747175/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747175; rev:1;) alert tcp $HOME_NET any -> [163.53.152.206] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747173/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747173; rev:1;) alert tcp $HOME_NET any -> [52.202.90.227] 4435 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747174/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747174; rev:1;) alert tcp $HOME_NET any -> [216.250.226.35] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747171/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747171; rev:1;) alert tcp $HOME_NET any -> [13.235.103.217] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747172/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747172; rev:1;) alert tcp $HOME_NET any -> [199.91.200.230] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747170/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747170; rev:1;) alert tcp $HOME_NET any -> [20.241.207.58] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747168/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747168; rev:1;) alert tcp $HOME_NET any -> [38.103.18.147] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747169/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747169; rev:1;) alert tcp $HOME_NET any -> [199.167.131.71] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747167/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747167; rev:1;) alert tcp $HOME_NET any -> [4.246.141.209] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747166/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747166; rev:1;) alert tcp $HOME_NET any -> [139.99.86.89] 443 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747164/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747164; rev:1;) alert tcp $HOME_NET any -> [27.102.138.230] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747165/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747165; rev:1;) alert tcp $HOME_NET any -> [27.102.138.125] 443 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747163/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747163; rev:1;) alert tcp $HOME_NET any -> [27.102.138.125] 80 (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747162/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747162; rev:1;) alert tcp $HOME_NET any -> [51.161.11.238] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747161/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747161; rev:1;) alert tcp $HOME_NET any -> [2.59.119.38] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747160/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747160; rev:1;) alert tcp $HOME_NET any -> [58.59.44.132] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747159/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747159; rev:1;) alert tcp $HOME_NET any -> [143.198.65.74] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747158/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747158; rev:1;) alert tcp $HOME_NET any -> [109.131.141.80] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747157/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747157; rev:1;) alert tcp $HOME_NET any -> [144.172.101.78] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747156/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747156; rev:1;) alert tcp $HOME_NET any -> [172.245.228.213] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747155/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747155; rev:1;) alert tcp $HOME_NET any -> [107.189.25.81] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747154/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747154; rev:1;) alert tcp $HOME_NET any -> [204.76.203.41] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747153/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747153; rev:1;) alert tcp $HOME_NET any -> [89.163.214.74] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747152/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747152; rev:1;) alert tcp $HOME_NET any -> [38.190.254.97] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747151/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747151; rev:1;) alert tcp $HOME_NET any -> [185.239.239.35] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747150/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747150; rev:1;) alert tcp $HOME_NET any -> [47.109.148.39] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747149/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747149; rev:1;) alert tcp $HOME_NET any -> [91.92.243.10] 1234 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747148/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747148; rev:1;) alert tcp $HOME_NET any -> [217.217.254.115] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747147/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747147; rev:1;) alert tcp $HOME_NET any -> [164.92.151.15] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747146/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747146; rev:1;) alert tcp $HOME_NET any -> [103.245.251.195] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747145/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747145; rev:1;) alert tcp $HOME_NET any -> [45.12.138.150] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747144/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747144; rev:1;) alert tcp $HOME_NET any -> [57.129.86.34] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747143/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747143; rev:1;) alert tcp $HOME_NET any -> [102.117.163.154] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747142/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747142; rev:1;) alert tcp $HOME_NET any -> [150.136.164.223] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747141/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747141; rev:1;) alert tcp $HOME_NET any -> [121.43.182.95] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747140/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747140; rev:1;) alert tcp $HOME_NET any -> [45.66.164.17] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747139/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747139; rev:1;) alert tcp $HOME_NET any -> [34.87.24.96] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747138/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747138; rev:1;) alert tcp $HOME_NET any -> [194.164.123.21] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747137/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747137; rev:1;) alert tcp $HOME_NET any -> [80.91.79.31] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747136/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747136; rev:1;) alert tcp $HOME_NET any -> [212.86.116.106] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747135/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747135; rev:1;) alert tcp $HOME_NET any -> [5.199.173.120] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747134/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747134; rev:1;) alert tcp $HOME_NET any -> [45.112.194.82] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747133/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747133; rev:1;) alert tcp $HOME_NET any -> [95.214.181.93] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747132/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747132; rev:1;) alert tcp $HOME_NET any -> [213.176.16.120] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747130/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747130; rev:1;) alert tcp $HOME_NET any -> [106.13.223.195] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747131/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747131; rev:1;) alert tcp $HOME_NET any -> [50.212.4.1] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747129/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747129; rev:1;) alert tcp $HOME_NET any -> [114.66.31.135] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747128/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747128; rev:1;) alert tcp $HOME_NET any -> [101.34.92.139] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747127/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747127; rev:1;) alert tcp $HOME_NET any -> [117.72.191.140] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747126/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747126; rev:1;) alert tcp $HOME_NET any -> [103.69.194.63] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747125/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747125; rev:1;) alert tcp $HOME_NET any -> [52.151.31.52] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747124/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747124; rev:1;) alert tcp $HOME_NET any -> [78.192.214.83] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747122/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747122; rev:1;) alert tcp $HOME_NET any -> [52.151.31.52] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747123/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747123; rev:1;) alert tcp $HOME_NET any -> [117.72.191.140] 8028 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747121/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747121; rev:1;) alert tcp $HOME_NET any -> [172.245.242.117] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747119/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747119; rev:1;) alert tcp $HOME_NET any -> [156.234.247.125] 38080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747118/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747118; rev:1;) alert tcp $HOME_NET any -> [23.235.179.112] 38080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747117/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747117; rev:1;) alert tcp $HOME_NET any -> [23.226.58.237] 38080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747116/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_13; classtype:trojan-activity; sid:91747116; rev:1;) alert tcp $HOME_NET any -> [104.248.223.60] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747115/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747115; rev:1;) alert tcp $HOME_NET any -> [112.125.18.189] 9998 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747114/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747114; rev:1;) alert tcp $HOME_NET any -> [120.55.195.205] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747113/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"infinity.glor5ven2ta.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747112/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"donner.plar9ten2zo.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747110/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"espoir.plar9ten2zo.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747109/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nebula.blen7kor2za.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747108/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747108; rev:1;) alert tcp $HOME_NET any -> [206.123.145.65] 6621 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747062/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747062; rev:1;) alert tcp $HOME_NET any -> [87.242.106.13] 21285 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747064/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747064; rev:1;) alert tcp $HOME_NET any -> [38.60.134.155] 12121 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747087/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747087; rev:1;) alert tcp $HOME_NET any -> [82.165.51.16] 7974 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747094/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747094; rev:1;) alert tcp $HOME_NET any -> [82.165.51.16] 1981 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747096/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747096; rev:1;) alert tcp $HOME_NET any -> [82.165.51.16] 6000 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747098/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747098; rev:1;) alert tcp $HOME_NET any -> [209.25.140.20] 1025 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747056/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747056; rev:1;) alert tcp $HOME_NET any -> [209.25.140.20] 1028 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747055/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747055; rev:1;) alert tcp $HOME_NET any -> [146.59.151.2] 14433 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747053/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747053; rev:1;) alert tcp $HOME_NET any -> [51.89.23.91] 14433 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747052/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747052; rev:1;) alert tcp $HOME_NET any -> [185.208.156.187] 8771 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747036/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747036; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 10859 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747031/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747031; rev:1;) alert tcp $HOME_NET any -> [185.53.179.128] 443 (msg:"ThreatFox Lumma Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747029/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"audioza.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747030/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747030; rev:1;) alert tcp $HOME_NET any -> [91.92.241.159] 18129 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747010/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747010; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 7839 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747008/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"winjak.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746964/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/helpu.php"; depth:10; nocase; http.host; content:"winjak.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746966/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"poritkaz.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746967/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.php"; depth:9; nocase; http.host; content:"winjak.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746965/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"winiks.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746960/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"winiks.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746961/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"berlof.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746958/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"berlof.shop"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746959/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ferlik.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746951/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"ferlik.shop"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746952/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bezelek.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746949/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"bezelek.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746950/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"servupdt.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746946/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/css.js"; depth:11; nocase; http.host; content:"servupdt.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746947/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"poritkaz.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746948/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746948; rev:1;) alert tcp $HOME_NET any -> [193.58.121.235] 52162 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746944/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746944; rev:1;) alert tcp $HOME_NET any -> [198.46.173.21] 4607 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746953/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746953; rev:1;) alert tcp $HOME_NET any -> [158.94.210.195] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746968/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.php"; depth:9; nocase; http.host; content:"poritkaz.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746969/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/helpu.php"; depth:10; nocase; http.host; content:"poritkaz.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746970/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.zip"; depth:9; nocase; http.host; content:"poritkaz.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746971/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/configpack.zip"; depth:15; nocase; http.host; content:"poritkaz.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746972/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"updtserv.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746973/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server.php"; depth:11; nocase; http.host; content:"updtserv.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746974/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"servupdt.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746975/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.zip"; depth:9; nocase; http.host; content:"servupdt.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746976/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.zip"; depth:9; nocase; http.host; content:"winjak.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746977/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/configpack.zip"; depth:15; nocase; http.host; content:"winjak.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746978/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"borecas.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746979/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"verolix.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746980/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746980; rev:1;) alert tcp $HOME_NET any -> [158.94.210.195] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746996/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91746996; rev:1;) alert tcp $HOME_NET any -> [158.94.210.195] 3007 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747019/; target:src_ip; metadata: confidence_level 80, first_seen 2026_02_13; classtype:trojan-activity; sid:91747019; rev:1;) alert tcp $HOME_NET any -> [45.83.207.188] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747063/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2cj7ly.sh"; depth:10; nocase; http.host; content:"178.16.54.73"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747092/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vlxx.us.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747107/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"remc9095j.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747105/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747105; rev:1;) alert tcp $HOME_NET any -> [185.242.3.72] 1003 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747104/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zukunft.blen7kor2za.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747103/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"voyage.klon2par6si.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747093/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747093; rev:1;) alert tcp $HOME_NET any -> [192.252.181.4] 8089 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747091/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747091; rev:1;) alert tcp $HOME_NET any -> [192.252.181.4] 3389 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747090/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8574ba9c14cf4c8b.php"; depth:21; nocase; http.host; content:"150.241.83.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747084/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747084; rev:1;) alert tcp $HOME_NET any -> [103.177.47.245] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747081/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747081; rev:1;) alert tcp $HOME_NET any -> [44.243.198.170] 33300 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747080/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747080; rev:1;) alert tcp $HOME_NET any -> [44.243.198.170] 1200 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747079/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747079; rev:1;) alert tcp $HOME_NET any -> [199.101.109.164] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747078/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747078; rev:1;) alert tcp $HOME_NET any -> [45.155.69.147] 42535 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747077/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747077; rev:1;) alert tcp $HOME_NET any -> [95.216.107.62] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747076/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747076; rev:1;) alert tcp $HOME_NET any -> [104.223.84.8] 14643 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747075/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747075; rev:1;) alert tcp $HOME_NET any -> [104.234.63.107] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747074/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747074; rev:1;) alert tcp $HOME_NET any -> [45.137.23.15] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747073/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asfegfrwg4t42t-58664.portmap.host"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747072/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747072; rev:1;) alert tcp $HOME_NET any -> [109.107.161.96] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747071/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747071; rev:1;) alert tcp $HOME_NET any -> [13.43.94.7] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747070/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747070; rev:1;) alert tcp $HOME_NET any -> [89.167.68.28] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747069/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747069; rev:1;) alert tcp $HOME_NET any -> [168.231.109.47] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747068/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747068; rev:1;) alert tcp $HOME_NET any -> [192.99.169.120] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747067/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_13; classtype:trojan-activity; sid:91747067; rev:1;) alert tcp $HOME_NET any -> [27.50.54.171] 14994 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747066/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_13; classtype:trojan-activity; sid:91747066; rev:1;) alert tcp $HOME_NET any -> [156.238.242.231] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747065/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vision.klon2par6si.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747060/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"freiheit.drim9sol3ka.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747058/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lumiere.drim9sol3ka.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747054/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747054; rev:1;) alert tcp $HOME_NET any -> [167.160.190.182] 4444 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747051/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747051; rev:1;) alert tcp $HOME_NET any -> [80.87.206.164] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747050/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747050; rev:1;) alert tcp $HOME_NET any -> [144.126.149.104] 1006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747049/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747049; rev:1;) alert tcp $HOME_NET any -> [192.159.99.158] 7777 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747048/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747048; rev:1;) alert tcp $HOME_NET any -> [193.26.115.183] 1000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747047/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747047; rev:1;) alert tcp $HOME_NET any -> [198.23.215.170] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747046/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747046; rev:1;) alert tcp $HOME_NET any -> [172.111.139.231] 2405 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747045/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747045; rev:1;) alert tcp $HOME_NET any -> [106.12.153.90] 8080 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747044/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_13; classtype:trojan-activity; sid:91747044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"beyond.trak8lin4zo.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747041/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747041; rev:1;) alert tcp $HOME_NET any -> [130.61.237.253] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747040/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747040; rev:1;) alert tcp $HOME_NET any -> [194.187.122.190] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747039/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747039; rev:1;) alert tcp $HOME_NET any -> [128.90.108.148] 4433 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747038/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glanz.trak8lin4zo.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747037/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"miraclemiracleoluwa.duckdns.org"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747035/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91747035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"greatthingshapppenthanku.duckdns.org"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747034/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91747034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sourire.brav7mon3ky.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747032/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747032; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 10859 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747028/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747028; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 10859 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747027/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747027; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 10859 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747026/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747026; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 10859 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747024/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747024; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 10859 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747025/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"discovery.brav7mon3ky.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747023/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kde-exe.with.playit.plus"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747022/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updater"; depth:8; nocase; http.host; content:"endlessgrumbler.cc"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1747020/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouryearofmoney001.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747017/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747017; rev:1;) alert tcp $HOME_NET any -> [79.137.194.178] 5412 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747016/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sseeo.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747013/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.sseeo.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747014/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.sseeo.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747015/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malware.battolka.sa.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747012/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"battolka.sa.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1747011/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747011; rev:1;) alert tcp $HOME_NET any -> [58.244.43.233] 10001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747006/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747006; rev:1;) alert tcp $HOME_NET any -> [54.155.20.112] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747005/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747005; rev:1;) alert tcp $HOME_NET any -> [154.86.18.163] 14994 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747004/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747004; rev:1;) alert tcp $HOME_NET any -> [142.171.223.34] 19873 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747003/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747003; rev:1;) alert tcp $HOME_NET any -> [118.107.0.254] 2002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747002/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747002; rev:1;) alert tcp $HOME_NET any -> [223.109.91.213] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1747000/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91747000; rev:1;) alert tcp $HOME_NET any -> [206.189.213.116] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746999/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746999; rev:1;) alert tcp $HOME_NET any -> [197.204.246.83] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746998/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746998; rev:1;) alert tcp $HOME_NET any -> [188.166.160.90] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746997/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746997; rev:1;) alert tcp $HOME_NET any -> [154.86.19.110] 14994 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746995/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746995; rev:1;) alert tcp $HOME_NET any -> [68.221.173.33] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746994/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"assin6k7n.rye93shishaty.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746992/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746992; rev:1;) alert tcp $HOME_NET any -> [180.76.103.69] 4321 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746991/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746991; rev:1;) alert tcp $HOME_NET any -> [172.236.231.9] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746989/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746989; rev:1;) alert tcp $HOME_NET any -> [149.28.227.64] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746988/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746988; rev:1;) alert tcp $HOME_NET any -> [138.2.121.207] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746987/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746987; rev:1;) alert tcp $HOME_NET any -> [103.149.93.152] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746984/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mag1q9t.rye93shishaty.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746981/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updater"; depth:8; nocase; http.host; content:"endlessgrumbler.cc"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746963/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"idi-nahuy.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746962/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diva.ru.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746957/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gablewize.ru.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746956/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ynumdzg6a.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746954/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hisoftsfnrq.ru.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746955/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x77r44p.rye93shishaty.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746945/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k4n7a3n.favour128influen.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746941/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mzg.emiraride.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746939/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mzg.megaexdistribuidora.com.br"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746940/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mzg.emiraride.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746937/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mzg.megaexdistribuidora.com.br"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746938/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ted9q6r.favour128influen.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746936/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/principal-effect.js"; depth:25; nocase; http.host; content:"beer2p.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746922/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"beer2p.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746923/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/endpoint-cache.php"; depth:24; nocase; http.host; content:"beer2p.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746924/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/redirect-xml.js"; depth:21; nocase; http.host; content:"beer2p.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746925/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/register"; depth:9; nocase; http.host; content:"193.201.82.142"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746928/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gardenscup.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746935/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"inspire-moi.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746930/; target:src_ip; metadata: confidence_level 50, first_seen 2026_02_12; classtype:trojan-activity; sid:91746930; rev:1;) alert tcp $HOME_NET any -> [178.81.14.217] 4444 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746900/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746900; rev:1;) alert tcp $HOME_NET any -> [147.185.221.29] 61938 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746902/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746902; rev:1;) alert tcp $HOME_NET any -> [147.185.221.180] 19481 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746904/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pass5x1m.favour128influen.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746921/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r332a8q.buckshot3hha.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746920/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x49k7m.buckshot3hha.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746918/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746918; rev:1;) alert tcp $HOME_NET any -> [109.164.56.92] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746916/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nssss6p3t.buckshot3hha.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746915/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746915; rev:1;) alert tcp $HOME_NET any -> [16.112.128.183] 9641 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746913/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746913; rev:1;) alert tcp $HOME_NET any -> [43.216.211.111] 10261 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746914/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746914; rev:1;) alert tcp $HOME_NET any -> [159.65.202.204] 8888 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746912/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746912; rev:1;) alert tcp $HOME_NET any -> [175.192.75.105] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746911/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746911; rev:1;) alert tcp $HOME_NET any -> [212.193.31.183] 9000 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746910/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746910; rev:1;) alert tcp $HOME_NET any -> [151.243.109.99] 7001 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746909/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746909; rev:1;) alert tcp $HOME_NET any -> [103.149.93.152] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746908/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746908; rev:1;) alert tcp $HOME_NET any -> [112.126.56.105] 4434 (msg:"ThreatFox GobRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746907/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ark7r5k.kolos56tomat.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746899/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"web-q9t2n.kolos56tomat.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746897/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/endpoint-cache.php"; depth:24; nocase; http.host; content:"sonyj.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746890/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sonyj.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746891/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/redirect-xml.js"; depth:21; nocase; http.host; content:"sonyj.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746892/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file1"; depth:6; nocase; http.host; content:"79.141.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746893/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file1"; depth:6; nocase; http.host; content:"awakeningd.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746894/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zip1"; depth:5; nocase; http.host; content:"79.141.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746895/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"booking.lastminutebusinessclass.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746896/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"numerito.asuscomm.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746889/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g8hrs4f4vh/index.php"; depth:21; nocase; http.host; content:"85.137.252.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746855/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"netzhit.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746880/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5s8h.js"; depth:8; nocase; http.host; content:"netzhit.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746878/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"netzhit.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746879/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746879; rev:1;) alert tcp $HOME_NET any -> [85.158.108.55] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746888/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746888; rev:1;) alert tcp $HOME_NET any -> [149.28.227.64] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746887/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_12; classtype:trojan-activity; sid:91746887; rev:1;) alert tcp $HOME_NET any -> [64.188.65.166] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746886/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_12; classtype:trojan-activity; sid:91746886; rev:1;) alert tcp $HOME_NET any -> [154.86.19.86] 14994 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746885/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746885; rev:1;) alert tcp $HOME_NET any -> [18.194.217.191] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746884/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mmm4x8p.kolos56tomat.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746883/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b5rr7a.prong8tatsky.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746882/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x1-n9q.prong8tatsky.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746881/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746881; rev:1;) alert tcp $HOME_NET any -> [156.247.41.106] 8888 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746877/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"655rd9or.caretouched.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746876/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"h3wwqgbo.caretouched.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746875/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t8aak3m.prong8tatsky.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746874/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746874; rev:1;) alert tcp $HOME_NET any -> [156.247.41.106] 6666 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746873/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"reppox.glint39parko.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746872/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zor.emiraride.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746870/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zor.megaexdistribuidora.com.br"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746871/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"zor.emiraride.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746868/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"zor.megaexdistribuidora.com.br"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746869/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a6mm9t.glint39parko.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746866/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746866; rev:1;) alert tcp $HOME_NET any -> [8.219.53.200] 5001 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746865/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"w7c2q.glint39parko.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746861/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"k9x5nff.tronk6vesta.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746860/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"z4kt1r.tronk6vesta.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746859/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pdd-6m8a.tronk6vesta.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746858/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746858; rev:1;) alert tcp $HOME_NET any -> [103.119.3.160] 443 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746856/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746856; rev:1;) alert tcp $HOME_NET any -> [43.204.22.133] 8080 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746854/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746854; rev:1;) alert tcp $HOME_NET any -> [51.48.163.208] 29281 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746853/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746853; rev:1;) alert tcp $HOME_NET any -> [199.101.111.101] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746852/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vlxx.co.za"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746851/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aivo.sa.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746850/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746850; rev:1;) alert tcp $HOME_NET any -> [91.187.138.61] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746849/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746849; rev:1;) alert tcp $HOME_NET any -> [34.88.149.206] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746848/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746848; rev:1;) alert tcp $HOME_NET any -> [122.114.10.199] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746847/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wish-carefully.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746846/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"numbers-23.plax482verdi.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746845/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746845; rev:1;) alert tcp $HOME_NET any -> [91.92.240.114] 20000 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746813/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"carry.plax482verdi.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746841/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hass-8r3p.plax482verdi.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746840/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t0veek.brisk7dento.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746839/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746839; rev:1;) alert tcp $HOME_NET any -> [103.106.228.129] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746837/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"japetuxaliq.sa.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746831/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jemaco.ch"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746832/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kind.co.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746833/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klubblyftet.ru.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746834/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"npzfh.ru.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746835/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nrp.co.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746836/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buhlfp.ru.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746829/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qem2a.brisk7dento.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746828/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"benn4x.brisk7dento.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746827/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r5k0t.flint09marko.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746826/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7e1669c87b2a4f93.php"; depth:21; nocase; http.host; content:"89.208.106.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746823/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746823; rev:1;) alert tcp $HOME_NET any -> [45.130.164.228] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746822/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746822; rev:1;) alert tcp $HOME_NET any -> [37.120.199.54] 4781 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746819/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m2-q8v.flint09marko.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746818/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"xerpa.flint09marko.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746817/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sable14x.reward2rocket.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746815/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gesundeswasser.co"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746806/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pub-dce4815fde8f4b84a55fe31ab7cf28c3.r2.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746807/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"maheshwaree.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746808/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.dorper.com.au"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746809/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fd1c2342-e679-4d72-8d6c-14188a0889f5.journalultv.edu.vn"; depth:55; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746790/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"capazmente.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746791/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"infobirdrep.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746792/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eu2.contabostorage.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746793/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"martinpintado.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746794/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"testshop.thermeeins.de"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746795/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"setenews.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746796/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cloudflare-app.mooo.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746797/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"otticaramoni.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746798/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdreplab.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746799/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mmm-intranet-document-explorer.netlify.app"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746800/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"revistadiversidadcultural.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746801/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rootsmacaronesia.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746802/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cuanauntung.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746803/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"robobotics.eu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746804/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"scillarodriguez.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746805/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hhpms.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746775/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aiolocksmithstpetersburg.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746776/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cloud-file-explorer.netlify.app"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746777/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gtl.ci"; depth:6; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746778/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"akwatic-hotel.ci"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746779/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rafelink.life"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746780/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"clipacc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746781/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"senevie.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746782/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pub-f3584a9197da4a3ab7b71a89ef92a1c7.r2.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746783/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"capgokil.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746784/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"upfilenew.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746785/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"topbirdrank.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746786/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tonnsfabrication.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746787/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bharatnamkeens.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746788/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"skipgorman.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746789/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"luminateclinic.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746760/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wtaindia.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746761/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xytelindia.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746762/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"spinedoctors.md"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746763/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mondossierrenov.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746764/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"adult.cheahpartners.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746765/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"warmembraceshop.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746766/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"update-ccleaner.run.place"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746767/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dubaiexpertplumber.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746768/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dat.claims"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746769/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"unclewileys.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746770/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nontonfilm.us"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746771/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"corporateofficehq.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746773/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"akademiawalki.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746774/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stakesol.pro"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746744/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"m-t.gov.gr"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746745/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chemistnotes.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746746/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.alampat.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746747/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pub-4ecf9dbb36b14a6ca5cc2edda94239c8.r2.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746748/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"floralsupply.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746749/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.lntrealty.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746750/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rjccabinets.com.au"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746751/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sunlook.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746752/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aticusllc.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746753/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thoseguysepoxyandmore.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746754/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ardiellifornasa.ge"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746755/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"piworfolo.com.theplatinumguesthouse.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746756/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eetools.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746757/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jzs86.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746758/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pub-a8c70268707f403c889fb3370abffd68.r2.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746759/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"clarionschooldubai.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746741/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"newsouthhomes.com.au"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746742/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pub-2889d605e08246e4846fd7d50b9f7673.r2.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746743/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrankup.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746733/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pub-2149a070e76f4ccabd67228f754768dc.r2.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746734/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ipmmasterclass.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746735/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ashigaruwallet.rs"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746736/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"marineeducational.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746737/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"paok24.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746738/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chillimanis.com.sg"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746739/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"energy-ts.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746740/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hglawyers.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746720/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dongfeng-uae.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746721/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"northamptonorthopaedics.co.uk"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746722/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"elternrat-bezaarau.ch"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746723/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tradesync.dev"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746724/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"avanteoficina.com.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746725/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pub-75942411e32842ff9c7c36752d5fbba8.r2.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746726/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eastwestglassexpert.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746727/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"constructionsmcl.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746728/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrankex.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746729/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.thebrainworkshop.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746730/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"elcomltd.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746731/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"os.clinic"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746732/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.journalultv.edu.vn"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746708/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"glynneathdental.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746709/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"termal.bailetusnad.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746710/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"probirdrank.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746711/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"moro-mie.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746712/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tickets-sarstedt.365-portal.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746713/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"theamoralists.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746714/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"comolube.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746715/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cryptocompass.dev"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746716/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"minhajautorepair-ae.oam.pgs.mybluehostin.me"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746717/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pub-b4e149870eb044c2b0d90459885821f9.r2.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746718/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"careerslumen.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746719/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gcloudfs.icu"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746692/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yourishikesh.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746693/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"google-security-bypass.pages.dev"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746694/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"365-docs.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746695/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pub-31a7ccb7d5264101a447a2914e357e5f.r2.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746696/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"babybauchblog.de"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746697/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"reachbirdrank.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746698/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"balbharatischool.in"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746699/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cloudflare.cheahpartners.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746700/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"easygoldtrading.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746701/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrankhelp.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746702/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sindangkasihnews.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746703/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cuanahebat.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746704/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"booking-verify-check-number1883.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746705/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pub-f00f6c74748b448cad437351a835c6cf.r2.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746706/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"booking.com-sign-in.world"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746707/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"google-security-bypass-v-021003.pages.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746678/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"google-security-bypass-v-021002.pages.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746679/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"google-security-bypass-v-021001.pages.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746680/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"google-security-bypass-v-011005.pages.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746681/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"google-security-bypass-v-011003.pages.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746682/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"google-security-bypass-v-011002.pages.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746683/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shop.stil.co.ug"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746684/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rootsems.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746685/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"google-security-bypass-v-udk3nbdbw842.pages.dev"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746686/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"booking-verification.click"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746687/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"africanhillslodge.co.za"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746688/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gecal.com.br"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746689/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gclouds.icu"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746690/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zeta-financial.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746691/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"traitement-anti-fourmis.fr"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746663/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"memorialgreenturf.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746664/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"metronomie.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746665/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qr.emedia.ae"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746666/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stu.edu.iq"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746667/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"google-security-bypass-v-usfnskwkn666.pages.dev"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746668/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nashamuktijabalpur.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746669/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"google-security-bypass-v-bckdpsdeuw.pages.dev"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746670/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"google-security-bypass-v-sflepznfhwys3.pages.dev"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746671/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"booking-verif.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746672/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"google-security-bypass-v-hsdiwnxdsndknw.pages.dev"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746673/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"google-security-bypass-v-03100dc.pages.dev"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746674/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"solidnews.pro"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746675/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cuanasekali.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746676/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"google-security-bypass-v-021004.pages.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746677/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fixbirdrank.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746647/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fixbirdrep.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746648/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"firingpinjournal.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746649/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"captcha-verification.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746650/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"documenti-drive.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746651/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dieticianruniakolkata.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746652/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kantinas.gr"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746653/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"laengconsulting.ch"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746654/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dcnmjewels.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746655/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rockettcg.cl"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746656/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cloudflare-captcha.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746657/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"piworfolo.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746658/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"staging.ferreiraco.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746659/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"booking.com-reactivate.de"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746660/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shreejayjalaramgroup.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746661/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"guard-google.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746662/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"htglobalcircuits.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746630/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"booking.com-admin.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746631/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ideacatcher.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746632/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lilypainexperts.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746633/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrankbox.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746634/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"womensfitnessplans.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746635/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aceimaging.in"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746636/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tripvoyagehub.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746637/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cbtechnic.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746638/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"accessbullx.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746639/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cpdendorsed.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746640/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blancosettlement.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746641/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shopifycpatch.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746642/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"clickuhome.com.hk"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746643/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"365-docs.cfd"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746644/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"escortseohizmetleri.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746645/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"email.closeoutstocks.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746646/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sysbirdrep.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746613/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dyshpt.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746614/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"coronadopreppreschool.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746615/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fresheralerts.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746616/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bonus33.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746617/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"javsenpaiii.pages.dev"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746618/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"javsenpai.pages.dev"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746619/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"captaincoin.io"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746620/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tenkif.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746621/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"educatorshub.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746622/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"myminicabin.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746623/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"abbeysorchids.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746624/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"68gamewin7.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746625/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"circleebuildings.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746626/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.kabarpangan.id"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746627/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tools-booster.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746628/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"onlinelearning.efcde.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746629/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrepcorp.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746597/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrepfx.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746598/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrepinc.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746599/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrepsys.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746600/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrepup.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746601/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrepinfo.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746602/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdreppro.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746603/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrankapp.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746604/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrepfix.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746605/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrepwin.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746606/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrepuse.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746607/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrepbit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746608/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrepusa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746609/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"acebirdrep.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746610/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrankopt.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746611/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tapbirdrank.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746612/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"upsistem32dat.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746581/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rankieng.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746582/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cih.vbk.temporary.site"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746583/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"b.pendantkart.in"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746584/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"verificationsbycapcha.center"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746585/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"egyeditalpbetet.batz.hu"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746586/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"updatesbrows.app"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746587/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jftl.co.in"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746588/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pawprintspublishingllc.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746589/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pbcustomercare.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746590/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"addisartist.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746591/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdranktop.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746592/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrepopt.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746593/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bebirdrank.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746594/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bitbirdrep.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746595/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"birdrepnet.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746596/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kjarz.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746565/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cryptoportalhub.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746566/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cryptoinfa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746567/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dmmediacamp.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746568/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pharmacygletsos.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746569/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aslidomino.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746570/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"linkmore.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746571/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"planb.ph"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746572/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"solscan.is"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746573/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cld.hashes.today"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746574/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"title-car.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746575/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hotelthilanka.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746576/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"petersandorf.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746577/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xerovent.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746578/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"360-carview.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746579/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"4vspvs.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746580/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www-youtube-com-watchvideo.cfd"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746550/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lowcountrygrapevines.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746551/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sentidoseguros.com.br"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746552/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aspirefoundationinc.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746553/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sandyrelief.aurovine.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746554/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"giooga.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746555/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.geo-home.rw"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746556/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"coinmarketsap.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746557/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"theharadamethod.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746558/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smokingantrecords.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746559/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thealphain.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746560/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"spark-news.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746561/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ilingering-verify-clouds.pages.dev"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746562/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"indiasproperty.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746563/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lingering-verify-cloud-86ee.pages.dev"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746564/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aiboxs.click"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746535/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smokefreehousinginfo.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746536/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"g-terrace.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746537/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trimed.com.au"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746539/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"travelmix.ch"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746540/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"karminis.ch"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746541/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"suketiawan.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746542/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"1c-bitrix-perenos.adm-center.ru"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746543/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tizambia.org.zm"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746544/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fidestecnologias.com.ve"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746545/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nsgrafica.ao"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746546/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"clinicasdorim.com.br"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746547/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"munichmotorsport.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746548/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"krishnawebservices.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746549/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"developmentsite1.bestchoiceitwebsites.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746519/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mijnvriendinenik.nl"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746520/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"metmuseum.wordt-ontwikkeld.be"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746521/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kmhospital.info.digitaljaydeep.in"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746522/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"healthyhabitpath.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746523/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"carlosjuniorleite.agencialegalads.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746524/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stratospb.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746525/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thiagoanselmo.oraculodosorixas.com.br"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746526/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"youtubethumbnaildownloadhd.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746527/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"youthviolenceproject.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746528/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yoshinari-raita.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746529/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"weiler.signo.dev.br"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746530/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vncomi.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746531/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tattes.ch"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746532/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"retirementmaxradio.southernsummits.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746533/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"8050.jp"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746534/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tutions.bhavitutors.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746515/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"store.xinnomix.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746516/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"strimex.de"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746517/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"staging.alaincasault.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746518/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rhythmbottle.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746511/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ticketteaching.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746512/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aftermathmonkey.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746513/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mittenselection.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746514/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"riptide306.reward2rocket.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746510/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"m1w1mwdm.dozerebelt.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746508/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"5osnse1q.dozerebelt.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746507/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"solstice77.reward2rocket.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746506/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746506; rev:1;) alert tcp $HOME_NET any -> [3.33.196.131] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746505/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746505; rev:1;) alert tcp $HOME_NET any -> [151.101.171.182] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746504/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746504; rev:1;) alert tcp $HOME_NET any -> [45.87.153.148] 9802 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746459/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746459; rev:1;) alert tcp $HOME_NET any -> [202.95.17.140] 16688 (msg:"ThreatFox Gh0stnet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746462/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746462; rev:1;) alert tcp $HOME_NET any -> [86.54.42.53] 56001 (msg:"ThreatFox PureRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746465/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"echo918.discount5den.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746502/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746502; rev:1;) alert tcp $HOME_NET any -> [65.21.182.91] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746496/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746496; rev:1;) alert tcp $HOME_NET any -> [77.42.49.62] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746497/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746497; rev:1;) alert tcp $HOME_NET any -> [89.167.8.65] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746498/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746498; rev:1;) alert tcp $HOME_NET any -> [65.109.254.225] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746499/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746499; rev:1;) alert tcp $HOME_NET any -> [65.109.252.105] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746494/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746494; rev:1;) alert tcp $HOME_NET any -> [65.109.245.121] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746495/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mtg.emiraride.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746490/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mtg.megaexdistribuidora.com.br"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746491/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gts.emiraride.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746492/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gts.megaexdistribuidora.com.br"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746493/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.252.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746484/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.245.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746485/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.21.182.91"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746486/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"77.42.49.62"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746487/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"89.167.8.65"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746488/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.254.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746489/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gts.emiraride.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746479/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gts.megaexdistribuidora.com.br"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746480/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mtg.emiraride.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746481/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mtg.megaexdistribuidora.com.br"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746482/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"89.167.68.164"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746483/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746483; rev:1;) alert tcp $HOME_NET any -> [199.101.111.43] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746478/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746478; rev:1;) alert tcp $HOME_NET any -> [16.62.211.218] 41604 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746476/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746476; rev:1;) alert tcp $HOME_NET any -> [16.62.211.218] 554 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746477/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746477; rev:1;) alert tcp $HOME_NET any -> [45.8.47.24] 8000 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746474/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746474; rev:1;) alert tcp $HOME_NET any -> [94.237.63.254] 8082 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746475/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746475; rev:1;) alert tcp $HOME_NET any -> [170.187.205.218] 8081 (msg:"ThreatFox Chaos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746473/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746473; rev:1;) alert tcp $HOME_NET any -> [188.119.148.125] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746472/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746472; rev:1;) alert tcp $HOME_NET any -> [104.250.169.119] 3010 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746471/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a2achannel.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746468/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"share2e2git.yachts"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746469/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cedar27.discount5den.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746467/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nebula501.discount5den.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746464/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"polar9dash.bargainbridge1.coupons"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746463/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746463; rev:1;) alert tcp $HOME_NET any -> [8.152.205.177] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746461/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746461; rev:1;) alert tcp $HOME_NET any -> [117.72.97.155] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746460/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onlinekings.cyou"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746458/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"throneback.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746456/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/donldpats/receptor.php"; depth:23; nocase; http.host; content:"saborizerefeicoes34.store"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746455/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saborizerefeicoes34.store"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746454/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746454; rev:1;) alert tcp $HOME_NET any -> [83.229.17.74] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746453/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"acscervice.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746451/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746451; rev:1;) alert tcp $HOME_NET any -> [158.94.208.143] 35630 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746450/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746450; rev:1;) alert tcp $HOME_NET any -> [116.102.228.216] 7000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746449/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746449; rev:1;) alert tcp $HOME_NET any -> [3.141.20.153] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746448/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746448; rev:1;) alert tcp $HOME_NET any -> [182.123.79.228] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746447/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746447; rev:1;) alert tcp $HOME_NET any -> [69.62.125.171] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746446/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746446; rev:1;) alert tcp $HOME_NET any -> [138.68.47.225] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746445/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746445; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 39262 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746443/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mindabusiness.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746440/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mattersthatmatters.duckdns.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746441/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greatmatteronly.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746442/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ironwood812.bargainbridge1.coupons"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746429/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"saffron63.bargainbridge1.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746422/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fjord305.offer6orchard.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746420/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746420; rev:1;) alert tcp $HOME_NET any -> [103.8.27.52] 7221 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746419/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746419; rev:1;) alert tcp $HOME_NET any -> [38.134.148.152] 9999 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746270/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hubjimfoodsales.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746271/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"futureentrepreneurhub.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746275/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blazingtigerpower.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746276/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stormfurycommandhqex.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746277/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"netrovalixsystems.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746278/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"silverlilysummer.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746279/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"energyefficienttools.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746280/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"administrator.corepulseworks.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746281/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"primeaiinfrastructure.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746282/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nexustelecomltd.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746283/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"brightmorningsunrise.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746284/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"abqdealershipsnew.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746285/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"futureinnovationlab.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746286/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"administrator.smartlaunchzone.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746287/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"proactiveitinfrastructure.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746288/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746288; rev:1;) alert tcp $HOME_NET any -> [91.160.139.68] 27015 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746310/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746310; rev:1;) alert tcp $HOME_NET any -> [45.88.186.98] 9739 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746330/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746330; rev:1;) alert tcp $HOME_NET any -> [198.244.201.139] 8535 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746334/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746334; rev:1;) alert tcp $HOME_NET any -> [90.0.231.39] 4444 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746341/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746341; rev:1;) alert tcp $HOME_NET any -> [82.102.23.139] 42830 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746351/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746351; rev:1;) alert tcp $HOME_NET any -> [185.208.156.187] 8770 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746353/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746353; rev:1;) alert tcp $HOME_NET any -> [147.185.221.31] 21803 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746355/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/installerr/api/endpoint.php"; depth:28; nocase; http.host; content:"64.188.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746357/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746357; rev:1;) alert tcp $HOME_NET any -> [173.211.46.215] 7788 (msg:"ThreatFox Unknown RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746362/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"captioz.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746388/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_12; classtype:trojan-activity; sid:91746388; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 3399 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746396/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746396; rev:1;) alert tcp $HOME_NET any -> [45.192.213.15] 80 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746415/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746415; rev:1;) alert tcp $HOME_NET any -> [45.192.213.15] 8088 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746413/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746413; rev:1;) alert tcp $HOME_NET any -> [45.192.213.15] 443 (msg:"ThreatFox ValleyRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746414/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zenith44.offer6orchard.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746412/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sol/fre.php"; depth:12; nocase; http.host; content:"nonny11.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746411/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cobalt911.offer6orchard.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746410/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746410; rev:1;) alert tcp $HOME_NET any -> [64.89.163.7] 8888 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746409/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_12; classtype:trojan-activity; sid:91746409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mango72k.valuevault8.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746406/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746406; rev:1;) alert tcp $HOME_NET any -> [148.66.11.10] 5178 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746405/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746405; rev:1;) alert tcp $HOME_NET any -> [8.141.114.67] 8888 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746400/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746400; rev:1;) alert tcp $HOME_NET any -> [185.229.225.122] 1234 (msg:"ThreatFox AdaptixC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746399/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"atlas906.valuevault8.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746398/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"raven31.valuevault8.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746397/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746397; rev:1;) alert tcp $HOME_NET any -> [23.236.64.252] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746394/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746394; rev:1;) alert tcp $HOME_NET any -> [27.124.30.18] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746393/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746393; rev:1;) alert tcp $HOME_NET any -> [164.92.167.237] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746392/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"plasma707.promoportal4.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746391/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"garnet88.promoportal4.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746390/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marlin204.promoportal4.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746389/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nylon6burst.bonus7basket.coupons"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746387/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cinder930.bonus7basket.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746386/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sierra14.bonus7basket.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746385/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tundra803.savvy3spree.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746384/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746384; rev:1;) alert tcp $HOME_NET any -> [199.101.111.23] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746383/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"femboyservicesapi.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746382/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746382; rev:1;) alert tcp $HOME_NET any -> [159.203.114.198] 7072 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746381/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746381; rev:1;) alert tcp $HOME_NET any -> [144.31.203.91] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746379/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746379; rev:1;) alert tcp $HOME_NET any -> [94.156.152.67] 80 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746380/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"opal57x.savvy3spree.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746378/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746378; rev:1;) alert tcp $HOME_NET any -> [128.90.108.111] 4433 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746377/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746377; rev:1;) alert tcp $HOME_NET any -> [34.88.31.95] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746376/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_12; classtype:trojan-activity; sid:91746376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vortex641.savvy3spree.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746374/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"basil902.dealharbor2.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746373/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d71j5xk1.highlifeless.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746371/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"65w6z13g.highlifeless.digital"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746370/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hexagon73.dealharbor2.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746369/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"captioz.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746368/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads.yahoos.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746367/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elkodu.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746366/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746366; rev:1;) alert tcp $HOME_NET any -> [192.159.99.158] 1234 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746365/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icewf89vp.localto.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746364/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"drift8wave.coupon9cabin.coupons"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746363/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aurora519.coupon9cabin.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746361/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"krypton62.coupon9cabin.coupons"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746360/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nimbus93.overplaymarbles.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746358/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cobalt7.overplaymarbles.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746356/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zephyr41.overplaymarbles.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746352/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746352; rev:1;) alert tcp $HOME_NET any -> [103.177.47.81] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746350/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746350; rev:1;) alert tcp $HOME_NET any -> [91.215.85.51] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746349/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x400l.ltangarorw.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746348/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746348; rev:1;) alert tcp $HOME_NET any -> [34.88.149.206] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746347/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746347; rev:1;) alert tcp $HOME_NET any -> [192.159.99.158] 4444 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746346/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746346; rev:1;) alert tcp $HOME_NET any -> [192.159.99.158] 4000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746345/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746345; rev:1;) alert tcp $HOME_NET any -> [120.26.18.220] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746344/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cinder.way17call-in.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746342/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"powney.prd.redroselin.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746338/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sparrow.way17call-in.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746337/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746337; rev:1;) alert tcp $HOME_NET any -> [99.83.215.169] 8116 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746333/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746333; rev:1;) alert tcp $HOME_NET any -> [4.37.243.227] 8013 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746331/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746331; rev:1;) alert tcp $HOME_NET any -> [144.31.232.67] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746329/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746329; rev:1;) alert tcp $HOME_NET any -> [116.26.10.158] 36154 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746328/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746328; rev:1;) alert tcp $HOME_NET any -> [107.23.124.228] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746327/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746327; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 9301 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746326/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746326; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 65399 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746324/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746324; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 8329 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746325/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746325; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 55578 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746323/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746323; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 42232 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746320/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746320; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 4840 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746321/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746321; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 5000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746322/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746322; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 18244 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746315/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746315; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 18246 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746316/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746316; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 1883 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746317/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746317; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 20546 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746318/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746318; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 2456 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746319/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746319; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 12642 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746313/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746313; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 14000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746314/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746314; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 10558 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746312/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746312; rev:1;) alert tcp $HOME_NET any -> [101.200.72.138] 443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746311/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mosaic.pucker8reined.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746309/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tamil.uk.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746306/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dmv.de.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746307/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6543.cn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746305/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6960.cn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746303/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hitclub-web.us.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746304/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marketrasen.uk.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746301/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahf.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746302/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ryu.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746299/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rrb.us.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746300/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"koh.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746296/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"789p.uk.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746297/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worldclass.uk.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746298/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hybrids.us.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746293/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dyw.uk.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746294/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"polytropos.eu.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746295/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slrbi356-30384.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746292/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lumen.pucker8reined.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746291/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laundrysyndicserai.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746289/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vjdisnli.rightsisyphus.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746274/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"onx0xsoi.rightsisyphus.digital"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746273/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"harbor.enter483pro.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746272/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tv88-km.cyou"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746267/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tv88-vip.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746268/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kp88.ink"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746266/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ax88vn01.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746265/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"comet.enter483pro.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746264/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.genesisproj.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746236/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 90%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"psicogenealogia.com.br"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746237/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_11; classtype:trojan-activity; sid:91746237; rev:1;) alert tcp $HOME_NET any -> [191.23.31.238] 1000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746239/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746239; rev:1;) alert tcp $HOME_NET any -> [45.149.153.129] 2020 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746241/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"151.247.22.202"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1746262/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"angry-toaster.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746019/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"willow.art67quarrel.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746263/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"glacier.art67quarrel.coupons"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746261/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"monarch.dle759zone.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746260/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746260; rev:1;) alert tcp $HOME_NET any -> [3.84.151.60] 6003 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746258/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746258; rev:1;) alert tcp $HOME_NET any -> [3.84.151.60] 58603 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746259/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746259; rev:1;) alert tcp $HOME_NET any -> [184.174.96.225] 1912 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746257/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746257; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 11112 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746256/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746256; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 9142 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746255/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746255; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 5986 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746254/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746254; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 119 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746252/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746252; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 1194 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746253/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746253; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 62533 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746251/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746251; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 788 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746250/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746250; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 5299 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746249/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746249; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 4839 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746248/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746248; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 12322 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746245/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746245; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 53781 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746246/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746246; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 50670 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746247/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746247; rev:1;) alert tcp $HOME_NET any -> [34.88.31.95] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746244/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746244; rev:1;) alert tcp $HOME_NET any -> [113.44.67.52] 14433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746243/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"angxo.kozow.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746238/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nectar.dle759zone.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746235/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myghibligenerator.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746234/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"orbit.flash97all.coupons"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746233/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"victorlopes.agencialegalads.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746219/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vayna.in.digitaljaydeep.in"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746220/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"usbirdrep.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746221/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"upbirdrep.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746222/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trybirdrep.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746223/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"turkey-company.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746224/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trybirdrank.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746225/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thietbidiencongnghiep.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746226/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thecatflix.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746227/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hotgirltiktok.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746228/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"inspirec.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746229/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"poloidesign.com.75156372-90-20180116090518.webstarterz.com"; depth:58; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746230/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"youthvxolenceproject.com.springvillehomestead.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746231/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"winbee.jp"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746232/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"simz2.jp"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746205/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shop.jlct.jp"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746206/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"abac-kompresszor.hu.technorollshop.hu"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746207/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wagnertech.lu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746208/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"businessthrust.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746209/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"account-captcha-id4234.cfd"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746210/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"satwikskincare.com.digitaljaydeep.in"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746211/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yoursny.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746212/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yarapon.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746213/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xbox.sumillionaires.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746214/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wp.zyratalk.co"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746215/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"winwinexpert.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746216/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vipbirdrep.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746217/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"volokno.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746218/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webdisk.tamiltotamil.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746188/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webmail.kasatnews.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746189/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webdisk.giracoin.io"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746190/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vietorigin.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746191/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vidaedinheiro.com.agenciadelivearte.com.br"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746192/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"urzone.in"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746193/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"truongminhduc.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746194/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tradesunjapan.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746195/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"taskageniusalamin.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746196/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sp0t.biz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746197/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tehahfandbtrading.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746198/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"souzaeferro.agencialegalads.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746199/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"skyxin.ch"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746200/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"abeno-snake.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746201/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"taias.lt"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746202/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sl-baker.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746203/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"soulcirclewellness.rocketrobs.co.za"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746204/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smtp.he-connect.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746172/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smtp.fixmystrings.co.uk"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746173/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sitebh.com.br"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746174/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"seminariodiocesedejanauba.com.br"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746175/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sbludwig.de"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746176/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.jot.adw.mybluehost.me"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746177/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"taqrisenterprise.com.nexus-my.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746178/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ulwaza.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746179/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"saturnfoundation.in"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746180/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wewheel.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746181/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webmail.umeedshiksharath.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746182/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"womenworkingtogether.com.au"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746183/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"web12.alliancepaytest.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746184/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wishlist.miarcus.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746185/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"website.studiocaravan.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746186/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webmail.uranium-news.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746187/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webdisk.super77a.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746154/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"twessy.tasawk.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746155/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"topone-fc.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746156/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"website-e4b7844b.joyfulsouthernmama.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746157/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webdisk.dinsosjombang.id"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746158/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tsuchiya-miso.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746159/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"valorcomunica.agenciadelivearte.com.br"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746160/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"triplobby.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746161/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"travelpass.zambosur.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746162/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"toiler.wesix.com.br"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746163/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"terecon.ch"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746164/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tenmaru7hikiyose.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746165/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"taxi-saranda-shehaj.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746166/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"signature.seaskyservices.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746167/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"socialsecurityprimer.southernsummits.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746168/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"southbaybythegulfdestin.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746169/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"soda89.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746170/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"seribijutsu.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746171/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"schluesselringe.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746138/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"freekids.amosca.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746139/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zbhnozatrading.com.nexus-my.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746140/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yzempire.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746141/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"skjsb.my.nexus-my.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746142/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shophomevn.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746143/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"189632.web25.swisscenter.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746144/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"soulcirclewellness.co.za"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746145/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ipacarai.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746146/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sto.ttc-auto.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746147/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ystar.jp"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746148/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"whm.chinabandy.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746149/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yumewokanaeru365.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746150/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yuk89slot.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746151/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wp-proplus.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746152/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"web-ocean.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746153/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webmail.mega77b.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746121/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stavby.sk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746122/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"staging.trytebox.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746123/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stazio54.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746124/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"supvitalfree.verslo.io"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746125/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tanakazu1977.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746126/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"syuchan.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746127/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"teresina.oligoflora.com.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746128/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sebastiancafe.kbral.com.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746129/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"singlevendor.ninetysix.in"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746130/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quabala-quabala.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746131/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"psicologowil.com.br"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746132/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qka.poy.temporary.site"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746133/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"portaldesigngrafico.com.br.agenciadelivearte.com.br"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746134/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rummagewi.drcs-solutions.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746135/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rummagewi.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746136/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sageproductions.tv"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746137/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"test.my-video-live.cloud"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746104/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wooddecor.com.br.kbral.com.br"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746105/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tlcmaui.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746106/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quamecheng.co.zm"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746107/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ysetechnologies.com.appniacs.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746108/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"whm.umeedshiksharath.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746109/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"whm.tamiltotamil.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746110/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yellowbird.siulyn.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746111/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vitaricca-1.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746112/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wordt-ontwikkeldbe.site.tb-hosting.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746113/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webdisk.kasatnews.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746114/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vegasvalleycommercial.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746115/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"study.bisabarengoby.id"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746116/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tes-totaleng.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746117/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"teenpattijawaan.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746118/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"urbiagua.pt"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746119/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webmail.giracoin.io"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746120/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"frassatoadvogados.agencialegalads.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746088/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ftp.schoolofhealthcare.co.uk"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746089/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"myticket.kwirs.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746090/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cap.opetap.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746091/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ftp.knowzalearning.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746092/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"belezamolecular.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746093/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lead-mc.jp"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746094/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"seydap.gr"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746095/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fastsolution.asia"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746096/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lupstyle.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746097/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shinsenkaku-osaka.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746098/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"odeon-gongen.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746099/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gaines-kg.jp"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746100/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smtp.xn--80adx0bza.xn--80aphgvco4b.xn--p1ai"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746101/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ace-batiment.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746102/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"travellerschoice.ae"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746103/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kanekoyozo.jp"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746072/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"google-drive.co"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746073/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mukidashiactive.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746074/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"insectopia.ch"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746075/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bakvau-store.evascientific.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746076/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dimelox.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746077/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"favashop.com.ar"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746078/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"utama78.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746079/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.avomawealth.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746080/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sendhub.app"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746081/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shizuka-home.co.jp"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746082/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thespitiko.com.au"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746083/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"deibignite.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746084/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"suiiki-e-r.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746085/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"laflacatea.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746086/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"frassatoadvogados.com.br.agencialegalads.com"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746087/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sushibymatsu.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746056/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"feedmylambs.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746057/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"int-secure.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746058/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"steam-cloud.pro"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746059/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alpharedi.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746060/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ekoplod.pentasoftcomputers.eu"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746061/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"extracareliving.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746062/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"accountpulseupdate.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746063/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"accountupdatepulse.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746064/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"account-update-pulse.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746065/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"accountmanagercheck.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746066/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pulse-my-account.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746067/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"account-updationpage.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746068/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"captcha-online.live"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746069/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"3ac.conohawing.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746070/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"banlieuefashion.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746071/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ru.moneyjungle.ch"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746041/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alfenjan.iq"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746042/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"greathomesgh.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746043/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aaa-fxinvest.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746044/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pressbookmedia.ro"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746045/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"grandcentralatelier.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746046/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"visvabharati.ac.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746047/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kingsviewpaving.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746048/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cptoptious.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746049/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bosonalfa-ai.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746050/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"topbilliondirectory.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746051/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chrispetley.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746052/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"soinsfeepourtoi.ch"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746053/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bitesoutoflife.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746054/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"portal-secure.app"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746055/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746055; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 1244 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746040/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746040; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 18080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746039/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746039; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 6443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746038/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746038; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 62224 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746037/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746037; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 30726 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746036/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746036; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 2443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746034/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746034; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 18245 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746035/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746035; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 1224 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746033/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746033; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 56635 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746032/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746032; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 9200 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746030/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746030; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 11778 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746031/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746031; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 7443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746029/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746029; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 6379 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746027/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746027; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 10035 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746028/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746028; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 39772 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746026/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746026; rev:1;) alert tcp $HOME_NET any -> [102.117.15.139] 12519 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746025/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auth.wincloud-svc.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746024/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746024; rev:1;) alert tcp $HOME_NET any -> [172.65.239.53] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746023/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746023; rev:1;) alert tcp $HOME_NET any -> [18.191.11.127] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746022/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746022; rev:1;) alert tcp $HOME_NET any -> [51.45.54.250] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746021/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746021; rev:1;) alert tcp $HOME_NET any -> [155.94.163.103] 7070 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1746020/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91746020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2d5h.js"; depth:8; nocase; http.host; content:"ctpsih.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1745967/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ctpsih.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745968/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.php"; depth:7; nocase; http.host; content:"ctpsih.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1745969/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scope/reset-template.php"; depth:25; nocase; http.host; content:"viertofly.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1745970/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"viertofly.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745971/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scope/verify-payload.js"; depth:24; nocase; http.host; content:"viertofly.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1745972/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"exploringthenorth.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746005/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stransdeport.su"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746006/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"noelgascon.cmu-online.tech"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746007/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jawks.t3.storage.dev"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746008/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"animixplay.com.co"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746009/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"courses-ai.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746010/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jurnia.store"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746011/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"showtimedetailingservice.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746012/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"phambilihighschool.co.za"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746013/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tinavanleuven.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746014/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"megalearning.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746015/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fitnesslife24.ch"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746016/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gavinmakesapps-sys.github.io"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746017/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hupe-wa.dz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746018/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"soko-jikara.jp"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745988/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"psicogenealogia.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745989/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"imeta-bypass-check.t3.storage.dev"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745990/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"visitbundala.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745991/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"surecomforts.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745992/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.optimumfl.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745993/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"glassiker.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745994/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"appleslicesllc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745995/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"make-lnk.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745996/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"forreststonesolutions.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745997/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"strategicshift.au"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745998/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"habibitravel.co.id"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745999/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"twitws.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746000/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"valuelinkltd.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746001/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"truetech.ninetysix.in"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746002/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.sgardenchild.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746003/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"meta-check.t3.storage.dev"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1746004/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91746004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"namzcp.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745975/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bds3.umemarketingagency.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745976/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"117a78bb33.nxcli.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745977/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"acc.mecha-service.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745978/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"6yjgi2ue4qhb1zn1i65zpwdyii7k50vr0mprzvaz.t3.storage.dev"; depth:55; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745979/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"accsories.xin"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745980/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dev.18m.sn"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745981/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"heritagecraftshub.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745982/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"evascientific.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745983/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"captoolsz.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745984/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"peablueinteriors.co.uk"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745985/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rigogabriele.it"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745986/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"karamelsitges.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745987/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"saffron.flash97all.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745974/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pioneer.pro7center.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745973/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"falcon.pro7center.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745966/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"r4ven.unt452hub.coupons"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745965/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"meat-9q2t.unt452hub.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745961/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a7k3z.unt452hub.coupons"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745960/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745960; rev:1;) alert tcp $HOME_NET any -> [79.137.192.174] 56002 (msg:"ThreatFox PureRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1745935/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"83.217.208.72"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1745950/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scope/proxy-serializer.js"; depth:26; nocase; http.host; content:"verstelfonk.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1745951/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"verstelfonk.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745952/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scope/reset-template.php"; depth:25; nocase; http.host; content:"verstelfonk.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1745953/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scope/verify-payload.js"; depth:24; nocase; http.host; content:"verstelfonk.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1745954/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get"; depth:4; nocase; http.host; content:"91.193.19.108"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1745955/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get"; depth:4; nocase; http.host; content:"theunnumed.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1745956/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post"; depth:5; nocase; http.host; content:"91.193.19.108"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1745957/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rocket.gadgetgrab.coupons"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745959/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"prism.gadgetgrab.coupons"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745947/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"velvet.beautybundle.coupons"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745946/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745946; rev:1;) alert tcp $HOME_NET any -> [51.92.243.135] 808 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1745944/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745944; rev:1;) alert tcp $HOME_NET any -> [51.92.243.135] 8808 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1745945/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745945; rev:1;) alert tcp $HOME_NET any -> [45.8.47.24] 8080 (msg:"ThreatFox MimiKatz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1745943/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745943; rev:1;) alert tcp $HOME_NET any -> [159.65.3.72] 55555 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1745942/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745942; rev:1;) alert tcp $HOME_NET any -> [80.71.235.24] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1745941/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745941; rev:1;) alert tcp $HOME_NET any -> [107.172.10.190] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1745940/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745940; rev:1;) alert tcp $HOME_NET any -> [154.86.18.75] 14994 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1745939/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sparepartstecnam.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745938/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"petal.beautybundle.coupons"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745937/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"crystal.travelvoucher.coupons"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745936/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pom.emiraride.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745933/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pom.megaexdistribuidora.com.br"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745934/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pom.emiraride.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1745931/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pom.megaexdistribuidora.com.br"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1745932/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zrnyxza.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745914/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zrsglol.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745915/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zryupao.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745916/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ztbntbo.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745917/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ztjgcwl.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745918/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ztkwinh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745919/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ztwdfbq.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745920/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zucqkkg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745921/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zuecqbo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745922/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zwfjmzw.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745923/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zwifdqa.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745924/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zxjhsgn.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745925/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zxytjhc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745926/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zybtxui.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745927/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zyhtwrd.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745928/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zzcikkf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745929/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zzjfmny.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745930/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zdfecxe.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745892/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zdgxmsd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745893/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zeltywh.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745894/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zgoysam.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745895/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zhiiqqd.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745896/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zhzecai.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745897/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zjbfqmd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745898/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zjgsoey.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745899/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zjhbezg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745900/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zjrwfzi.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745901/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zjxpcme.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745902/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zkhphud.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745903/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zlqrzes.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745904/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zmapkpn.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745905/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zmcnfwr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745906/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zmhyehc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745907/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zmtyaac.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745908/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zmuochy.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745909/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zobizni.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745910/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zoebdut.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745911/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zpseuqt.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745912/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zqwandz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745913/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yugjpgb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745870/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yunyhwc.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745871/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yunzkpy.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745872/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yuodlia.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745873/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ywctaas.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745874/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yxatctr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745875/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yxjaqes.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745876/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yxlfdpt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745877/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yxopotk.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745878/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yyeytoh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745879/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yyjfnfz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745880/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yyoaziq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745881/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yzhekdt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745882/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yzncppn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745883/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yzsshlc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745884/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zaunrzk.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745885/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zaxfnmc.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745886/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zaxxzfi.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745887/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zbigkaf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745888/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zbrxzcd.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745889/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zcuchnu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745890/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zdenmsd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745891/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymiggzg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745848/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymphnjo.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745849/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ynbqjkm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745850/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ynciazz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745851/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yndwlcn.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745852/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ynjaqun.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745853/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yntjuyj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745854/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoeiqlj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745855/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoibwhc.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745856/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yomnehe.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745857/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ypedpuf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745858/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yptoihj.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745859/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ypuyhme.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745860/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ypwlbnc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745861/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yqbpbpb.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745862/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yqskqsa.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745863/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yqwaxaj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745864/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yrfsfxa.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745865/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yrlyfbs.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745866/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yssjtrq.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745867/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yswfobd.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745868/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ytppcau.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745869/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ybrekcl.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745828/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ydgsauz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745829/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ydibgtr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745830/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ydxphmy.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745831/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yeqpnkd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745832/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yfcugcs.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745833/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yfeqaof.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745834/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ygdcdwz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745835/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ygnhnmx.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745836/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhjlmol.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745837/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhlwwse.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745838/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhrmrto.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745839/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiehgcs.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745840/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiidorp.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745841/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykqhauq.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745842/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yliqeyc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745843/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ylmpytq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745844/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yltdgwg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745845/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yltzlez.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745846/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymalbiw.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745847/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xtwbsox.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745807/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xtxflqf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745808/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xugkfyn.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745809/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xunirsz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745810/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xwjsecr.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745811/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xwrkdwe.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745812/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxqdtpt.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745813/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxsgxdg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745814/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xybblqk.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745815/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xyiqdyb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745816/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xyyxrqp.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745817/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xzmhrjr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745818/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xzwoyjo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745819/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xzxbjpx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745820/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yadlmge.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745821/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yaiprqi.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745822/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yalhofx.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745823/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yaogxlk.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745824/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yatgzkh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745825/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yaxpspf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745826/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ybolhzh.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745827/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xjfgepy.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745785/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xkymrjm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745786/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xljhsya.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745787/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmmtjhf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745788/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmnryug.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745789/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmodxcr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745790/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xnpgise.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745791/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xoalebo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745792/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xocoptr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745793/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xoiqxhm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745794/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xosfnab.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745795/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xpcqnea.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745796/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xpgapac.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745797/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xpklcqt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745798/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xpmniou.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745799/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xprqrha.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745800/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xpwingi.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745801/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xqaorgo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745802/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xqsgyjo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745803/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xsgprgh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745804/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xsllxib.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745805/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xtfgmay.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745806/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wzcokth.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745764/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wzkniur.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745765/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wzxtbjj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745766/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xaiefui.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745767/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xaqyzoa.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745768/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xauftky.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745769/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xaxkper.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745770/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xbfrncm.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745771/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xbsyxih.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745772/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xclexjw.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745773/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xddwcpu.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745774/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xeuhnet.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745775/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xflozow.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745776/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xfqhajt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745777/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xfsqoaw.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745778/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xgppcei.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745779/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xhduszl.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745780/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xheskgb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745781/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xidhtxx.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745782/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xinskfi.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745783/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xisphiu.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745784/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wjclfze.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745743/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkharok.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745744/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkubaaw.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745745/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkxjnhy.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745746/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wlusumn.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745747/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wmadhsj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745748/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wmfksfb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745749/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wnfsdee.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745750/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wnhwxmp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745751/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wohihhu.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745752/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"woztxhd.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745753/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wqiymtd.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745754/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wqswyco.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745755/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wrjttyc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745756/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wrpqnqo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745757/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wtkskft.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745758/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wuneenb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745759/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wupbxya.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745760/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wuxiyup.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745761/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wwtkfjg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745762/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wzbkoex.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745763/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wbktabx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745723/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wbxlqxa.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745724/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wbypcbc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745725/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wczksro.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745726/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wdzzipz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745727/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wfbgjbz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745728/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wfcskbn.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745729/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wfyszui.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745730/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wghrklz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745731/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgiqwau.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745732/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgopryh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745733/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wgpwbaa.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745734/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whakdzo.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745735/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whihyrr.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745736/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whnjwwe.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745737/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wihibhj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745738/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wihsrys.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745739/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wilhahy.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745740/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wilmwug.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745741/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wioozqc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745742/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unwwlih.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745701/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uomfjjm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745702/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uqeqsjg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745703/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usacpkd.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745704/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usadota.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745705/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utlrtwz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745706/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utnukfu.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745707/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utqclgg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745708/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uwhkger.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745709/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uxesjmg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745710/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uycsnqp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745711/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uyfusxm.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745712/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uyoousa.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745713/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uyqslcf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745714/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uyqtyqh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745715/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uzbserc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745716/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uzhguas.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745717/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uznsotl.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745718/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wafjokg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745719/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"walasth.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745720/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wanninn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745721/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wapndga.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745722/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uhyyeuq.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745683/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uiitmhi.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745684/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uizsqww.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745685/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ujcdiur.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745686/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ujnsats.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745687/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ujygqtw.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745688/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ukciate.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745689/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ukcxcer.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745690/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ukfxwac.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745691/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uldsqcl.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745692/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"umdbmea.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745693/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"umjumsm.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745694/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"umkgmoa.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745695/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ummnroi.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745696/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"umpxqxr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745697/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"umrmjyj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745698/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"umwwmcc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745699/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"umzzznb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745700/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745700; rev:1;) alert tcp $HOME_NET any -> [154.64.235.110] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1745680/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745680; rev:1;) alert tcp $HOME_NET any -> [195.177.94.132] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1745679/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745679; rev:1;) alert tcp $HOME_NET any -> [20.163.58.233] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1745678/; target:src_ip; metadata: confidence_level 90, first_seen 2026_02_11; classtype:trojan-activity; sid:91745678; rev:1;) alert tcp $HOME_NET any -> [128.241.229.70] 6001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1745677/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745677; rev:1;) alert tcp $HOME_NET any -> [23.254.226.238] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1745675/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745675; rev:1;) alert tcp $HOME_NET any -> [23.254.226.238] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1745674/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745674; rev:1;) alert tcp $HOME_NET any -> [120.77.211.144] 12345 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1745673/; target:src_ip; metadata: confidence_level 75, first_seen 2026_02_11; classtype:trojan-activity; sid:91745673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ufjrwoa.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745669/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ugonkzj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745670/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uguihel.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745671/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uhjhjst.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745672/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twuurbf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745648/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"txawugh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745649/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tyymfag.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745650/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tzcqgrl.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745651/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tzsduod.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745652/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ualextd.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745653/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uarszmk.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745654/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ubkwwus.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745655/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucbrstz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745656/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucicmqu.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745657/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"udcjmjp.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745658/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"udjlwrk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745659/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"udukqpb.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745660/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"udurimq.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745661/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"udzbigu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745662/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ueasaxq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745663/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uedqqhx.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745664/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uenosbl.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745665/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uezrdtk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745666/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ufgwtfc.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745667/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ufhyliu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745668/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tqlmhsk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745627/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tqobaps.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745628/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tqrnnli.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745629/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tqwtqdp.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745630/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trozbgi.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745631/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trtbjpe.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745632/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsdqudz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745633/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsieflf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745634/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tstfsux.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745635/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tswucek.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745636/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsxbyrg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745637/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tteljeo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745638/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ttkdmzg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745639/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ttnxssm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745640/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tunikbt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745641/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tupyelg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745642/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tuzsecn.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745643/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twcdnxb.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745644/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twnskde.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745645/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twooocw.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745646/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twowlux.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745647/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tjcglnh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745605/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tjgjbng.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745606/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tjplpay.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745607/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tjyzwtw.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745608/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tkbiqjq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745609/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tkkrnxi.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745610/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tklwfah.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745611/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tkxzwqh.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745612/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tlbxwes.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745613/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tlhilup.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745614/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tlhnclw.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745615/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tlhppdt.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745616/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tlrrbcc.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745617/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tlsradc.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745618/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tlwixed.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745619/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tmbuczf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745620/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tmccszp.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745621/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tnrgead.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745622/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tonwoxe.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745623/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tphdzyl.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745624/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tpkesmd.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745625/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tprcpep.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745626/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syhhtlc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745585/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sysupda.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745586/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syyhqgk.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745587/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syyxnmj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745588/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"szfalar.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745589/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"szfhdgg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745590/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"szhbpgr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745591/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"takdwtn.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745592/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tazfbls.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745593/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tbnhplu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745594/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tbsnaoq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745595/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tdsjrnp.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745596/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teodlay.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745597/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"texxrji.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745598/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tfntjje.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745599/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tgunyix.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745600/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tgzcwhm.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745601/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thctrow.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745602/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thquklc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745603/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ticapoh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745604/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqesasd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745563/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqhcssl.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745564/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqljsjg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745565/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srmfriz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745566/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sruewaq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745567/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sstjndw.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745568/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stfkwrg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745569/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stlnunu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745570/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stoizji.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745571/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"strqeof.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745572/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subbsty.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745573/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sumbtlg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745574/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suxxeyo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745575/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suzqkab.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745576/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swemrgx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745577/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swhjoah.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745578/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swrprct.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745579/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swtxcgq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745580/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swxxmcb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745581/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sxdgtet.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745582/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sxfrdfk.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745583/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syeiihb.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745584/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sfcxiih.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745541/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sfdfrhh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745542/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sfnkozr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745543/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sgzsetb.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745544/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shnobju.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745545/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shqjqrw.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745546/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sijyrit.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745547/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sirxmiy.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745548/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sjcklsl.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745549/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skrcctu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745550/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skrsuec.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745551/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skwqwyn.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745552/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slcwtnl.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745553/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slhwyjw.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745554/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slyagaq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745555/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smislql.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745556/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snhqhhm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745557/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sningaz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745558/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snshdkb.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745559/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sodahlz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745560/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soirxyy.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745561/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sptemru.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745562/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rtzgkmm.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745519/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ruwnbbo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745520/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rxjzurq.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745521/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rxqqehx.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745522/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rylmikq.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745523/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rynffwj.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745524/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rywnokt.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745525/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rzeyspb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745526/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rzlqryz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745527/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rzsenmm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745528/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saaxseh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745529/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sancqfs.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745530/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sbafcpq.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745531/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sbgbafy.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745532/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sbnekwt.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745533/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sbpllme.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745534/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sbppywn.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745535/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scaquhz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745536/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scrilbw.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745537/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdenrkn.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745538/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdrylch.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745539/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seuzqyb.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745540/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rmpokmg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745500/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rmsgzif.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745501/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rntetze.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745502/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rnuykug.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745503/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rnwmsbd.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745504/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rnzdjjr.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745505/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rohoykw.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745506/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rohqmxe.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745507/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"roplwjo.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745508/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"roybhid.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745509/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rpiqrre.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745510/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rpkskwn.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745511/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rqadjtc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745512/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rqebifm.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745513/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rqgdpcq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745514/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rqnquxf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745515/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rqykzbi.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745516/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rrsywps.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745517/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rsscjmm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745518/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qzzpulx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745479/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raeeccx.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745480/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rapqeqc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745481/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rcjitdd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745482/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rdggegr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745483/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rdtssml.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745484/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reduttg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745485/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reimctt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745486/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rfigznh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745487/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rfwotzg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745488/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rgfrbxl.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745489/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rgnajnr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745490/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rgqkjoz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745491/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rhaaxsx.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745492/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rhwypna.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745493/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"riahmaz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745494/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ribqook.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745495/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rijrboi.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745496/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rjhzaas.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745497/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rkacqse.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745498/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rksgxwu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745499/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qosourx.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745457/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpeuicd.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745458/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpkrpwu.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745459/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpwospr.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745460/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qqrsmng.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745461/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qrqwehr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745462/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qtewhnp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745463/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qtsgser.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745464/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quoarot.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745465/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quossbg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745466/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwifgof.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745467/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qxicnnb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745468/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qxnracb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745469/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qxpgfeg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745470/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qxuhmqq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745471/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qyatftg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745472/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qywkcyk.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745473/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qyyyhaf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745474/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qzbyssr.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745475/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qzcuaum.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745476/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qzkkbfr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745477/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qzyiabw.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745478/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qcsluaf.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745436/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdlewjx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745437/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdlycsz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745438/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qeeunzk.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745439/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfhezuy.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745440/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfhnyyh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745441/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfjuhak.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745442/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgnyxab.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745443/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgqgesa.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745444/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgyzwlo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745445/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qhcfbgu.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745446/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qhwojsi.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745447/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qilamax.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745448/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qjuzapy.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745449/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qjwhuox.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745450/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qjyqnxz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745451/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qkqascz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745452/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmnzblg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745453/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qmwesee.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745454/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qncukuq.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745455/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qnhncyh.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745456/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ppnxgln.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745416/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pqfxclu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745417/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pqkgtin.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745418/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prhkwro.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745419/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prqgwut.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745420/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"psmcmms.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745421/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"psrzqlc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745422/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pszsrsy.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745423/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pudqwnh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745424/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pugiofx.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745425/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pugtlyf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745426/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pwmpjjg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745427/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pyhdjro.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745428/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pyiepkp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745429/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pyjnwqq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745430/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pyrxbqc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745431/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pyyynza.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745432/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pzxuuay.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745433/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qbldpse.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745434/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qbywfwc.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745435/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pfogrla.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745395/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pfxwgdt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745396/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pgczmwd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745397/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pgiyflj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745398/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pgouqzx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745399/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phkwabn.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745400/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phnintc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745401/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phqeunk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745402/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phywgxl.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745403/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pjcmuqa.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745404/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pjrrttk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745405/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pkbemof.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745406/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pkkoasg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745407/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pllyuxr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745408/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plpkzoc.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745409/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pmdpyct.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745410/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pnhidlb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745411/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pogmwmo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745412/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pokhoqf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745413/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"polawcn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745414/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pooausj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745415/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"otkmgkl.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745375/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oubebye.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745376/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oulecca.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745377/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"owpgtqg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745378/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"owpiczc.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745379/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"owsckcg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745380/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"owtssuc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745381/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oxjghli.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745382/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oyzftbr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745383/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ozrxyun.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745384/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ozzbfrg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745385/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pamquxf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745386/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pamyczc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745387/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pbjjqli.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745388/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pbnjeau.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745389/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pcelsdk.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745390/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pdtnjxs.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745391/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peijdaj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745392/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peufwja.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745393/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pfjijad.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745394/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiksbrj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745355/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oimzozw.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745356/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ojcdykj.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745357/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ojqqxxl.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745358/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ojrxlhn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745359/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oktsnpd.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745360/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"okuubsa.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745361/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ollpcbn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745362/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"olsoybz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745363/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"olupjhu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745364/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ongjajj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745365/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooubyjf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745366/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"opmxujb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745367/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"opsndyk.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745368/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"optrxed.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745369/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"opyurod.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745370/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqcpeos.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745371/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqthzyk.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745372/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osbenil.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745373/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osqbany.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745374/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oboshsl.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745334/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocidjwf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745335/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ockqgqf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745336/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oclzqrd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745337/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocnatmc.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745338/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"octdchl.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745339/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ocyximp.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745340/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oczakwr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745341/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oddcucl.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745342/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"odlxcbd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745343/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oekemmo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745344/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oeqdypl.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745345/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ofcllwd.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745346/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ofinzks.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745347/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ofnlnol.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745348/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogxojhg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745349/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogzppfz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745350/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ohapjun.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745351/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ohqboll.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745352/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ohqrzmz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745353/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oiagbbz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745354/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ntqyqrb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745314/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ntsuasl.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745315/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nttfazc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745316/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nuunjwb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745317/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nuyfrsa.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745318/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nwfbqzy.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745319/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nwouppf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745320/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nwqrhuc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745321/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nxpnsxr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745322/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nykmmme.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745323/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nymsxzm.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745324/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nyonhrh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745325/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nzbnqwu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745326/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nzhwmjs.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745327/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nzzmqak.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745328/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oabrpce.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745329/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oabtjfy.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745330/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oazkzzt.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745331/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obddctr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745332/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obgomgu.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745333/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nninwck.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745294/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noaodzc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745295/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nobwyxl.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745296/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noicskj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745297/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nonyans.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745298/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nosawck.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745299/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notjzpm.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745300/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nowxtai.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745301/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nozcmcp.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745302/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nppdnga.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745303/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"npwkxmt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745304/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"npxfkwt.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745305/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nqcycqb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745306/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nrbbapo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745307/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nroeqzo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745308/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nrxsndm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745309/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nsddoqp.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745310/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nsgqetu.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745311/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nstpnqy.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745312/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ntlucrd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745313/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nfgmalz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745274/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nfwsyog.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745275/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nhexpdk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745276/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nhoprge.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745277/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"niekmpg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745278/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"niobmdi.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745279/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njeeili.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745280/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njenyam.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745281/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njieiig.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745282/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njjrehj.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745283/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njqmtss.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745284/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njqpbfu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745285/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nkcipxf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745286/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nksoapu.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745287/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nkztaxd.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745288/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nlzcodm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745289/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nlzrbgy.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745290/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nmdmzxk.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745291/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nmmclix.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745292/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nnhaioe.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745293/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mwuzynk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745254/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mxpryce.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745255/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myeqsdw.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745256/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myizjha.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745257/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mykqyaa.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745258/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mylxsgd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745259/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mynkqpi.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745260/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myqnwxx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745261/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mzoqxuu.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745262/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mzreaux.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745263/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nahtafw.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745264/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naltdrt.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745265/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ncfnqjq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745266/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ndgdzzl.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745267/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ndmtqfk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745268/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ndnkhgz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745269/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nefguuj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745270/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neuqhrk.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745271/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nfckgpp.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745272/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nfdgnpm.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745273/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmdaymk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745236/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmdnuun.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745237/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmgwucm.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745238/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmpaqar.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745239/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mnjhoig.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745240/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mpdlotk.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745241/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mpfranj.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745242/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mpjxwgx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745243/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqbcuuy.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745244/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrnfhzg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745245/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrzcpjp.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745246/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mslethd.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745247/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mswukdp.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745248/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mtokhpa.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745249/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mtwqexn.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745250/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mtwxmdh.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745251/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muxizct.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745252/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mwcnmmb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745253/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mdsdorp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745217/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meqzhxa.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745218/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mexchyt.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745219/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mflhuce.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745220/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mfwfisz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745221/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mgtdyyx.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745222/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirgmft.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745223/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mjbysow.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745224/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mjgufeh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745225/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mjqlrgm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745226/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mjuhfqa.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745227/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkehkqw.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745228/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkglhnw.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745229/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkskgtr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745230/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkzlxln.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745231/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mldadae.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745232/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mlmannt.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745233/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mlmtehg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745234/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mlzilpp.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745235/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lubjudl.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745198/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"luziqud.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745199/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lwgbsxd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745200/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lwkdrnx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745201/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lyirwrf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745202/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lypllpu.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745203/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lyqnnpa.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745204/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lyyyxeg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745205/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lzmiiuh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745206/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lzssazr.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745207/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mampywx.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745208/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manjbkx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745209/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mastjmy.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745210/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mbsqwqz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745211/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mbyogua.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745212/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mbzioar.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745213/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcloemb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745214/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mdoirsy.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745215/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mdpociu.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745216/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lmgfqzd.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745180/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lmpeiju.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745181/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lneibun.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745182/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lnlqchj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745183/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lnpbgtw.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745184/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lojyybb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745185/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lomnlhe.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745186/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lonprce.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745187/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lpdbiol.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745188/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lplgysk.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745189/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lrtapbs.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745190/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lrzgxti.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745191/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lsajzoy.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745192/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lsboacp.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745193/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lsopxus.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745194/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ltksaxq.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745195/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ltpwpuu.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745196/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ltpyilz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745197/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lfarejq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745159/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lfpmqsw.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745160/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lfrzbpq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745161/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lfwbjtk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745162/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lfxwbdc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745163/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lfzmsta.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745164/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lgcizdg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745165/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lgkberm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745166/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lgppbam.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745167/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lgwdcil.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745168/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lhakhgw.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745169/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lhuckmr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745170/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lhymbae.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745171/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lhzfhjt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745172/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"likepmy.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745173/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"litporj.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745174/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liwbkgx.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745175/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ljesoxp.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745176/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lkwwnuy.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745177/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lkylfhk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745178/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llajqhq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745179/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kumzdxp.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745139/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kupuxhi.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745140/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kusawij.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745141/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuwtmln.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745142/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kwcsgxp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745143/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kwhkjlj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745144/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kwxnksf.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745145/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kxactcm.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745146/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kxrpjnw.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745147/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kxuxkdj.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745148/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kybgtbm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745149/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kyjbpwo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745150/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kykkkkw.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745151/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kyorkpe.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745152/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kyzweka.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745153/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzwyuce.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745154/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lafllqs.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745155/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lbxrftx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745156/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldobkjb.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745157/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldqfpjt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745158/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kjqgkqg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745121/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkjmrws.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745122/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klhwsqo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745123/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klqpazh.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745124/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klsgwrk.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745125/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmdjlhd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745126/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmmeycg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745127/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knafrcu.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745128/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knbesxb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745129/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knjcaoi.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745130/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knoytns.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745131/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"konsxcs.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745132/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kqwzgmw.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745133/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"krifmuj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745134/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"krkedzu.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745135/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ksxarjj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745136/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ktbpkjg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745137/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ktxdadp.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745138/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kdegulh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745103/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kdreksu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745104/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kdyphrz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745105/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kekildy.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745106/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kekpjon.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745107/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kfdqlub.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745108/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kfnuksi.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745109/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgdrbps.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745110/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kggfoxw.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745111/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgobdni.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745112/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgrpxaj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745113/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgxzwns.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745114/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"khyggfe.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745115/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kibkncd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745116/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiigors.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745117/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiqfsrx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745118/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kjlhsgg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745119/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kjokzuz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745120/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jtmnosb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745084/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jubsdzu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745085/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juxyzbl.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745086/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jwgqxfu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745087/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jwitmdd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745088/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jxjblbm.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745089/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jxraeke.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745090/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jxtzjmr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745091/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jydacze.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745092/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jyqgzut.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745093/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jyrheft.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745094/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jzwhkrf.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745095/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kahsqql.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745096/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbbwmae.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745097/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbcgaor.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745098/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcctbtu.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745099/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kclucoq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745100/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcoupuw.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745101/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcqwdfm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745102/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jluynhq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745063/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jmazpbc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745064/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jmqueld.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745065/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jmuaypu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745066/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jmyuzui.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745067/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jmzmtpj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745068/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jobmwyc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745069/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jogujlh.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745070/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jonqhkp.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745071/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jpapziw.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745072/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jpedmcz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745073/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jqfcxrz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745074/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jrwgrbg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745075/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jscfdqj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745076/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jshmsin.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745077/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jsitazi.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745078/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jskwyem.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745079/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jslmhdt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745080/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jsrriry.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745081/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jswbqtq.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745082/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jtccsih.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745083/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jcuqcgg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745044/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jcxhqus.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745045/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jdaqloc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745046/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jdykssm.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745047/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jepzrdy.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745048/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jfwqnos.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745049/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jgdathz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745050/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jhakjmq.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745051/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jhenapp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745052/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jhikfdl.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745053/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jhlzgnx.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745054/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jilgnhe.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745055/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jizggyb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745056/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jjlwqlk.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745057/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkshfrw.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745058/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkxzmun.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745059/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jlaxfgb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745060/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jllxtfy.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745061/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jlqawun.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745062/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ioptnhz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745025/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iotzpak.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745026/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipeuqtw.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745027/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipoldsc.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745028/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipyjcmy.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745029/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"irjlrcp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745030/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iscfyub.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745031/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"issmdic.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745032/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"itltgsn.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745033/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"itmmbwo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745034/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iuonnjj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745035/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwjsndf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745036/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwosxok.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745037/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwytjtn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745038/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iytuorj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745039/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"izbhyju.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745040/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iznxlgs.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745041/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jansqit.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745042/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jbrlcrj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745043/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ifpwggb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745004/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ifwmuhj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745005/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ifxluhi.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745006/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igdycbm.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745007/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ihlleyr.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745008/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ihrgxmu.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745009/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ihsfmzs.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745010/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ihycerf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745011/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ihyrunu.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745012/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ikkgoew.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745013/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ikyjapc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745014/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ilxzhft.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745015/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imblrfx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745016/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imkbmoj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745017/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imnlqpw.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745018/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imzffmw.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745019/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inessoz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745020/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iodflos.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745021/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iodrdyp.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745022/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ioengfq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745023/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iokxhja.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745024/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hywpzax.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744984/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hzbgcgi.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744985/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hzjwhng.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744986/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hzrecfn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744987/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hzupadc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744988/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iakdmks.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744989/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iaowgco.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744990/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iawlnru.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744991/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ibhtbnn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744992/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ibyiisa.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744993/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icanujy.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744994/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icimdww.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744995/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icjaxbo.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744996/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icjktjy.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744997/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ictnghs.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744998/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ictotrx.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744999/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"idpuhsr.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745000/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iefwryp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745001/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ienuaxp.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745002/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ifeuawf.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1745003/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91745003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hmonylg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744965/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hpabegn.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744966/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hpnodlt.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744967/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hpxnwxb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744968/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hpymslf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744969/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hqryotj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744970/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hqtkobt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744971/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"htgjmiy.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744972/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"htubcpi.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744973/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"humnioi.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744974/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"huxpceb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744975/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hwdyltr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744976/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hwpbqon.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744977/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hwqebda.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744978/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hwuslpo.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744979/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hxamgdh.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744980/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hxcxyag.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744981/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hxkclwx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744982/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hxyprdk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744983/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hcwedlb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744944/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hdhkujg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744945/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hdkzwks.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744946/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hdqnxab.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744947/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hebjfin.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744948/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hfnwyrj.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744949/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hfoarpm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744950/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hgonccc.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744951/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hhppdsg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744952/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hhqcgjh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744953/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hhzpliq.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744954/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hiszzij.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744955/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hizbwkd.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744956/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjeauya.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744957/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjmkzts.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744958/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjwcugj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744959/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkkdiqt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744960/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hknhnjd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744961/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hlrttqb.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744962/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hlwxexq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744963/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hmaocjg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744964/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gtfgwok.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744922/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gtuzuuf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744923/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gumriww.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744924/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gwmtomk.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744925/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gwoatrg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744926/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gwxbxaz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744927/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gxemumz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744928/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gxiunhq.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744929/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gxtpher.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744930/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyhhgrc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744931/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyrisap.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744932/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gzszapn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744933/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gzyjpdx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744934/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hagjzka.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744935/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haktgrp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744936/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haqeebn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744937/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hbmuxmh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744938/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hboyjrn.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744939/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hbrgmzy.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744940/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hbzqmnh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744941/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hcgrnpn.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744942/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hcqiozz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744943/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ggznjls.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744903/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghqduoj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744904/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkhdxpf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744905/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkzujmj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744906/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gljpimt.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744907/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmqpcgb.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744908/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gneygyh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744909/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gnxenuf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744910/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gnxwrtd.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744911/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gomgnoe.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744912/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gompxer.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744913/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goqdqag.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744914/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gpjrjxo.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744915/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gqnejcj.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744916/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gqrsapp.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744917/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gqxghyx.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744918/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gscljni.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744919/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsnrrtf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744920/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gtduued.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744921/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fuxmmda.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744883/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fuziuil.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744884/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fwajmet.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744885/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fwjsafn.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744886/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fxpuwjg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744887/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fyjduti.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744888/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fzbwnme.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744889/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fzefezd.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744890/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fzelrdf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744891/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fzoopeq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744892/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gadrukn.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744893/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaiargt.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744894/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaqelhl.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744895/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gbxsezy.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744896/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcbnkfs.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744897/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcyzgmf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744898/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gdxrzjt.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744899/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gfikzts.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744900/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ggdmhgf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744901/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ggtcrzu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744902/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fmrolhu.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744863/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fmwpkrp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744864/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fnhmqkp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744865/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foarlor.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744866/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fogmspe.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744867/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fordleg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744868/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fpfaahf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744869/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fqiazzu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744870/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"franznq.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744871/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frycjar.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744872/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fsgcpcg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744873/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fsptnmz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744874/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fsuiepb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744875/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftgrpgf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744876/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftqbery.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744877/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftztxwe.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744878/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fuftxrr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744879/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fugmeoh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744880/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fuoraue.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744881/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"furwnfr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744882/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feshhtl.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744843/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ffpfwfp.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744844/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ffpiiqs.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744845/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ffxbbol.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744846/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ffzncsj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744847/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fgcdpch.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744848/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fhxmasm.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744849/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fiablsb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744850/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fjbqpjx.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744851/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fjebqan.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744852/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fjndaui.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744853/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fkfcwrs.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744854/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fktzqlb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744855/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flelgif.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744856/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flowarf.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744857/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flrurxb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744858/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flsplom.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744859/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fluqwcj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744860/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fmdfplh.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744861/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fmkccsq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744862/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eucawgh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744822/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eukohbp.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744823/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euofuif.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744824/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euutcmk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744825/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euzgfxh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744826/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"excqgfr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744827/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"exgnazl.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744828/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"exmsnmx.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744829/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"exxopru.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744830/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eycazas.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744831/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyhgoro.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744832/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eypykdd.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744833/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ezekwlx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744834/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faayshc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744835/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"famydfi.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744836/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fanfyfm.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744837/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbbmijq.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744838/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbjhnaz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744839/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fddacwt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744840/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdoazgd.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744841/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdyxnnd.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744842/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"egrsdno.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744803/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eijtlxt.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744804/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"einkpuf.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744805/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eirlplm.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744806/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ejuzlle.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744807/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ejwtdzw.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744808/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ekmfyiq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744809/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ekpctnf.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744810/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eksjbtj.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744811/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ekxwrss.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744812/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emzlrir.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744813/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epwkidh.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744814/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epxznzf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744815/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eqnwmbl.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744816/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eqpqmkq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744817/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eqsjnjm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744818/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erxhwip.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744819/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"escjxxr.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744820/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"etcnlzw.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744821/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dyxqrsh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744783/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dzxhqfe.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744784/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dzzwfgn.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744785/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eagnzdn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744786/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eajmdma.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744787/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eampsod.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744788/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eatrlcn.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744789/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eawlrfo.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744790/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ebdbjcp.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744791/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ebdsuxl.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744792/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ebmwtkz.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744793/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ebqfork.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744794/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecduprs.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744795/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"edzripy.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744796/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"efjsyll.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744797/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"efnchcb.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744798/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"efqefgy.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744799/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"efucisg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744800/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eghszki.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744801/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"egkzixf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744802/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drpmsjl.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744763/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drtbfhh.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744764/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drtoghb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744765/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dskrole.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744766/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dswpfhx.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744767/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dtcjxif.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744768/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dtfgdzr.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744769/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dugwwsu.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744770/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dwcrmkh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744771/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dwfteup.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744772/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dwmdzxu.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744773/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dwsthxl.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744774/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dwuemge.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744775/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dxjttle.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744776/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dxoxgbx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744777/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dycopms.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744778/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dynlbdf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744779/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dypbkcb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744780/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dyqzunc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744781/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dyxhrun.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744782/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diqblfc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744742/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"djabzmh.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744743/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"djwmdwy.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744744/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dkqhmbi.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744745/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dldzeoo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744746/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dlepmqj.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744747/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dlihgic.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744748/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dmbszul.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744749/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dmlgjrt.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744750/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dmsieue.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744751/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dmunsdf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744752/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dmyldke.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744753/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnfojik.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744754/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnnewrt.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744755/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnolsfi.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744756/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnstlgj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744757/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dotsmpk.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744758/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dqatwlw.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744759/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dqeeuwp.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744760/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dqqsepz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744761/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drnwzgn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744762/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"czzdpkj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744722/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dblycni.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744723/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbohoxn.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744724/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcpfxpo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744725/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dctcqzg.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744726/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddlmtmg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744727/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddplnfp.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744728/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"degstau.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744729/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dejjsgf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744730/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dejukkp.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744731/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"depkayo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744732/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deujayb.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744733/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dexwlez.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744734/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dffdbzw.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744735/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dfhacah.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744736/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dfiqfuj.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744737/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dfpqhsx.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744738/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dgdfgkl.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744739/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dikmzcs.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744740/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diofysf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744741/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqoaxzl.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744702/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqpgneu.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744703/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqqidxa.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744704/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csirmsy.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744705/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csobbai.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744706/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cssbuas.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744707/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ctedwdd.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744708/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cthkhob.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744709/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cubwmio.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744710/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuemjuh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744711/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuhnbpg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744712/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwapqwe.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744713/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwnhdmt.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744714/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwsppqh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744715/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwxsiqo.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744716/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cxafljx.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744717/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cxxhtmb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744718/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cycmoep.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744719/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"czbnluu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744720/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"czronwq.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744721/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cccfhiq.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744682/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdpgphm.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744683/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cduarog.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744684/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cedpllb.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744685/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceisbzh.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744686/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cfhilbn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744687/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cgortpl.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744688/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cgzihgp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744689/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cjntgwz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744690/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckdbnxh.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744691/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ckftpwe.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744692/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cksfwam.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744693/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clieaqx.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744694/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cntzfua.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744695/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cocfomy.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744696/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coghqzu.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744697/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comwmbe.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744698/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpgojhm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744699/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cprbyuu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744700/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cprxgwz.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744701/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brtqbqm.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744662/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bthmzsp.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744663/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"btnioep.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744664/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bufechp.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744665/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bwfakki.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744666/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bwrtqbk.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744667/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bwxmaui.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744668/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bwzrirg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744669/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bxcgumg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744670/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bxctyqf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744671/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bxhkjwl.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744672/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bxneuda.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744673/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bxzksoo.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744674/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"byosnwr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744675/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bzbdmnk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744676/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"caejtfs.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744677/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cajnmbr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744678/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"calcnhf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744679/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cbbfywr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744680/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cbrwnhh.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744681/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bihamfh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744643/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biutomh.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744644/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bjlyxcu.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744645/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bkcwfbm.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744646/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blwszto.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744647/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bmazlky.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744648/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bmgiyyf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744649/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bmiwzfg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744650/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bnhacod.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744651/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bnnqkmb.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744652/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bnsnubx.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744653/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bodhuic.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744654/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bogbisk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744655/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bojobpm.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744656/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bpjbgfk.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744657/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bpjqffr.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744658/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bqmoolr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744659/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bqzjofd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744660/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"briczir.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744661/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azpqiyb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744622/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"banggpw.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744623/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbaqmpj.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744624/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbdbnzb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744625/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbewoyc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744626/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbjzotm.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744627/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbnlexs.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744628/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bcbxfme.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744629/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bcfique.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744630/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bclqhmf.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744631/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bcwmuys.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744632/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bedojqw.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744633/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bgaghbg.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744634/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bgdnjuu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744635/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bgnlbfi.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744636/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bguzxam.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744637/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bgxgnhq.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744638/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bhayoyk.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744639/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bhguqer.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744640/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bhjlmbb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744641/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bhjoroa.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744642/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apjpsil.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744601/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apyfxar.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744602/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqdwfci.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744603/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqhwdpf.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744604/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqkzhtx.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744605/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arcocfd.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744606/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arpmbwn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744607/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asfrdxx.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744608/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asjtwhe.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744609/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asmlelr.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744610/; target:src_ip; metadata: confidence_level 100, first_seen 2026_02_11; classtype:trojan-activity; sid:91744610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"attjphr.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1744611/; target:src_ip; metadata: confidence_level 100, first_seen 2026_0